ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)
Sourceet/open
Fileemerging-web_specific_apps.rules
CreatedOctober 14, 2024
UpdatedOctober 14, 2024
Classificationweb-application-attack
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)"; flow:established,to_server ; http.method; content:"POST"; http.uri; content:"/users/auth/saml/callback"; endswith; http.request_body; url_decode; content:"RelayState|3d|"; content:"SAMLResponse|3d|"; fast_pattern; base64_decode:offset 0,relative ; base64_data; content:"<samlp:Extensions>" ; content:"DigestValue|20|"; distance:0; content:"</samlp:Extensions>" ; distance:0; reference:url,blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/ ; reference:cve,2024-45409 ; classtype:web-application-attack; sid:2056646; rev:1; metadata:created_at 2024_10_14, cve CVE_2024_45409, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
References
Metadata
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!