Arp Spoofing in Adonisjs with Saml

Arp spoofing is a network-level attack where an attacker sends falsified Address Resolution Protocol messages to associate their MAC address with the IP address of a legitimate host, typically the default gateway. In an AdonisJS application that relies on SAML for authentication, this attack is most relevant when SAML requests or responses transit the local network or when the server participates in network routing. AdonisJS itself does not introduce an SAML-specific ARP spoofing flaw, but the framework’s use of SAML can expose authentication flows to risk if the surrounding infrastructure is compromised.

Consider a deployment where AdonisJS acts as a SAML service provider (SP) and communicates with an identity provider (IdP). If an attacker performs ARP spoofing on the host or adjacent network segment, they can intercept or modify unencrypted HTTP traffic between the SP and the IdP. While SAML assertions are typically signed and encrypted, an attacker on the local network might still disrupt or observe metadata, session initiation sequences, or downgrade attempts if transport security is misconfigured. For example, an attacker could redirect traffic to a malicious listener on the same subnet, attempting to intercept the SAML request binding or the relay state parameter if it is not protected by strict transport and binding requirements.

In AdonisJS, SAML integrations often rely on libraries such as @node-saml/passport-saml or similar packages. If the application does not enforce strict HTTPS for all endpoints and does not require signed SAML requests or responses, an attacker who successfully ARP-spoofs the network might be able to inject or modify non-SAML HTTP parameters, such as RelayState, before the SAML protocol binding validates and secures the message. RelayState tampering can lead to open redirects or phishing flows that appear to originate from a trusted IdP. Moreover, if the host runs multiple services or is misconfigured as a router, ARP spoofing can enable man-in-the-middle positions that expose session cookies or other application-layer tokens used alongside SAML sessions.

Additionally, in environments where AdonisJS applications share a local network with other services (e.g., LDAP, databases, or internal APIs), ARP spoofing can expose metadata about SAML discovery documents (IdP metadata XML) or endpoint URLs. While SAML metadata is not secret, its leakage can aid reconnaissance for targeted federation attacks. The framework’s configuration for entity IDs, assertion consumer service (ACS) URLs, and certificate handling must therefore assume that the network layer may be hostile and that ARP spoofing could facilitate information gathering for further exploitation.

To summarize, ARP spoofing does not directly exploit a flaw in AdonisJS or SAML libraries, but it can undermine the network assumptions on which secure SAML exchanges depend. The combination is risky when transport security, binding requirements, and network segmentation are not rigorously enforced, allowing attackers to position themselves between the SP and IdP or to tamper with non-SAML aspects of the authentication flow.

Remediation centers on enforcing strict transport security, validating bindings, and hardening SAML configuration in AdonisJS. Below are concrete code examples using a common SAML library for Node.js, adapted for AdonisJS controllers and providers.

Enforce HTTPS and secure bindings

Ensure all SAML endpoints are accessed over HTTPS and that the SP enforces signed requests and responses. Configure the SAML strategy to require signed assertions and to reject unsigned or poorly signed messages.

// config/saml.js
module.exports = {
  entryPoint: 'https://idp.example.com/sso/saml',
  issuer: 'https://sp.example.com',
  cert: `-----BEGIN CERTIFICATE-----
MIIC...
-----END CERTIFICATE-----`,
  privateKey: `-----BEGIN RSA PRIVATE KEY-----
MIIEpAIB...
-----END RSA PRIVATE KEY-----`,
  callbackUrl: 'https://sp.example.com/saml/acs',
  identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  signatureAlgorithm: 'sha256',
  digestAlgorithm: 'sha256',
  // Require signed SAML messages
  wantMessagesSigned: true,
  wantAssertionsSigned: true,
  // Reject unsigned assertions
  rejectUnencryptedAssertion: true,
};

AdonisJS SAML controller handling RelayState and validation

Validate RelayState to prevent open redirects and ensure it is either pre-registered or cryptographically protected. Use strict URL allowlists and bind the SAML protocol to HTTPS.

// start/handlers/saml-handler.js
'use strict';
const { validate } = use('Validator');
const allowedRelayStates = new Set([
  '/dashboard',
  '/settings',
  '/profile',
]);

class SamlController {
  async acos({ request, auth, response }) {
    const samlResponse = request.post('SAMLResponse');
    const relayState = request.post('RelayState') || '/dashboard';

    // Strict allowlist validation for RelayState
    if (!allowedRelayStates.has(relayState)) {
      return response.badRequest({ error: 'Invalid relay state' });
    }

    // Perform SAML validation via the configured strategy
    const user = await auth.attempt('saml', {
      samlResponse,
      relayState,
    });

    // Establish session securely with HTTPS-only cookies
    await auth.login(user, {
      remember: false,
    });
    response.cookie('auth_session', auth.getAuthToken(), {
      secure: true,
      httpOnly: true,
      sameSite: 'strict',
    });
    return response.redirect(relayState);
  }
}
module.exports = SamlController;

Metadata and certificate management

Host IdP metadata securely, pin certificates, and avoid dynamic discovery over insecure channels. In AdonisJS, load IdP metadata from a trusted, static file and validate entity IDs.

// start/services/saml-metadata.js
const fs = require('fs');
const path = require('path');

class SamlMetadataService {
  static getMetadata() {
    const filePath = path.resolve(__base, 'resources/views/saml/idp-metadata.xml');
    if (!fs.existsSync(filePath)) {
      throw new Error('IdP metadata file not found');
    }
    const xml = fs.readFileSync(filePath, 'utf-8');
    // Basic structural validation
    if (!xml.includes('EntityDescriptor') || !xml.includes('IDPSSODescriptor')) {
      throw new Error('Invalid IdP metadata');
    }
    return xml;
  }

  static getEntityId() {
    return 'https://idp.example.com';
  }
}
module.exports = SamlMetadataService;

Logging, auditing, and network hardening

Log SAML authentication attempts (without sensitive data) and monitor for anomalies that may indicate ARP spoofing or session tampering. Combine this with network-level protections such as static ARP entries where feasible and isolation of SAML traffic on dedicated VLANs.

// start/Listeners/saml-audit.js
'use strict';
class SamlAuditListener {
  handle(event) {
    const { type, userId, ip, success } = event;
    if (type === 'saml_auth') {
      // Use a proper logger in production
      console.info(`[SAML] ${success ? 'Success' : 'Failure'} auth for user ${userId} from ${ip}`);
    }
  }
}
module.exports = SamlAuditListener;

By combining strict HTTPS, signed SAML bindings, RelayState allowlisting, and robust metadata handling, AdonisJS applications can effectively mitigate risks amplified by ARP spoofing on the network.