**security-research** Public
# ION Group: Account Takeover
## Package
## Affected versions
## Patched versions
## Description
### Summary
The default configuration of authentication component of Wallstreet WebSuite application does not
validate the SAML response from the identity provider (e.g. Microsoft login) which can be leveraged to
takeover accounts of other users by modifying the email address and username assertion fields. This can
be abused to take over the application components such as Cash Manager Module [CMM] and Security
Center (administration component)
### Severity
Critical – An authenticated user with valid credentials can access any existing user account, such as a
super administrator account, without the knowledge of target user’s valid credentials. An attacker would
then be able to access all information and initiate actions while impersonating the account.
### Proof of Concept
Following steps can be followed to replicate the vulnerability:
1. Access the application using the URL and note the “RelayState” parameter in the response:
https://:/websuite/saml
2. The application redirects to login to the Identity Provider (IdP) portal e.g. Microsoft. On successful
login, a SAML response is generated.
3. Retrieve the “SAMLResponse” value either by inspecting the traffic with browser Dev Tools or using an
interception proxy such as Burp Suite.
4. The SAML response is base64 encoded and can be easily decoded to view the plain text contents.
Replace the username and email addresses in the decoded SAML response with those of another user
such as an administrative user.
5. Base64 encode the tampered SAML response and issue a request to the /saml/response endpoint of
the application using the “RelayState” parameter obtained in step 1.
6. The application authorizes the user based on the SAML token and issues a session token.
Security Center compromise
The aforementioned steps can be followed to gain super administrator access to Security Center as well.
1. Access the Security Center directly using the URL or tile from the WebSuite home page.
2. Authentication redirects to identity provider (IdP) after issuing of RelayState parameter.
3. Login at the IdP’s portal e.g. Microsoft login in this case. SAML response is returned to the Web
Suite authentication endpoint
4. SAML Response is tampered to change the username and email address to that of administrator
account. This can be done manually or using BurpSuite extension such as SAMLRaider. The
modified SAML response is forwarded to the application which redirects to the Security Center
page.
### Further Analysis
Google / Mandiant recommends properly validating the signature/Certificate along with the assertion data
originating from the IDP.
### Timeline
**Date reported**: 07/23/2024
**Date fixed**:
**Date disclosed**: 10/22/2024