Breaking Into Your Network? Zer0 Effort. - DEF CON 33 Overview
Uncovering critical flaws in ZTNA solutions, allowing attackers to escalate privileges on end user devices and to completely bypass authentication, …
Read ArticleZScaler’s SAML 2.0 Service Provider (SP) implementation does not verify that incoming SAML responses are signed with the configured Identity Provider’s (IdP) public key.
An attacker can generate arbitrary SAML Assertions naming themselves as any user. The server responds with an access token which can be used to register an arbitrary device in Zscaler, under the targeted account.
Confirmed on 6.2r.2505_prod.68.438498_114 (2025-07-16)
The SP POST binding endpoint /sfc_sso accepts a <Response> and associated <Assertion> that are signed with any certificate, regardless of the IdP certificate configured in the admin UI.
When POSTing a forged SAMLResponse to the /sfc_sso endpoint, the server does not properly validate the SAML assertion signature and a JWT token is returned - allowing an attacker to use the returned token to register an unauthorised device.
No privileged access or prior compromise of the IdP is required.
An attacker who knows the target user’s email can:
https://login.zscaler.net/clstart, passing a chosen PKCE code_challenge and challenge_method (e.g. S256).SAMLRequest and RelayState from the response.<NameID> and in <AttributeStatement>.<Response> and submit it via HTTP POST to https://login.zscaler.net/sfc_sso in the SAMLResponse parameter, and the RelayState from the original /clstart response.The SP issues a valid JWT, which can in turn be used to register a new device in the victim’s tenant, by providing the chosen code_verifier and generated JWT.
In the following example, the attacker provides the target domain and specifies the target user’s email address in the user parameter. When the script is run, it creates the required PKCE verifier, fetches the AuthN request, generates an arbitrary certificate and signs a forged assertion with the certificate. The forged assertion is then POSTed to the SP and a JWT is returned.

Looking at the request in burp, we can see the SAMLResponse parameter being sent to the server, containing the self signed, forged assertion.

The following video demonstrates exploitation of this issue. First, we forge a SAML assertion for a user and send it to the server, which responds with a JWT. We then use this JWT to register a fake machine in Zscaler, with a controlled hardware ID and MAC address to demonstrate JWT validity.
Uncovering critical flaws in ZTNA solutions, allowing attackers to escalate privileges on end user devices and to completely bypass authentication, …
Read ArticleThought CVE-2024-5921 was fixed? Nacho problem! NachoVPN brings downgrade attacks to GlobalProtect.
Read Article