A critical Slack SAML authentication bypass vulnerability caused by failure to validate the Audience restriction element in SAML assertions, allowing attackers to present assertions meant for other service providers (e.g., expired Github assertions) to gain unauthorized access to Slack accounts. The vulnerability exploited the "confused deputy problem" and was reported and patched in 2017.
Security researcher discovered an SSRF vulnerability in Yahoo! Guesthouse by finding a SAML endpoint through recon, then exploiting the BouncerSAMLRemoteSessionHost cookie which accepted arbitrary hostname values, causing the backend to make requests to attacker-controlled servers.
Parevo Core is a modular Go library that consolidates authentication, multi-tenancy, and permission management (RBAC/ABAC) across common web frameworks and databases. It provides auth primitives (JWT, OAuth2, SAML, LDAP, WebAuthn), tenant isolation with SQL filters, and pluggable storage adapters for MySQL, Postgres, MongoDB, and Redis.