hunt-saml

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs taking raw SAMLResponse assertions (base64 blobs) and echoing/embedding them in CLI commands and requests (e.g., echo "BASE64_SAML" | base64 -d, re-encode and POST), which requires including sensitive token/assertion values verbatim in output and is an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit offensive guide detailing SAML/SSO exploitation techniques—XML Signature Wrapping, signature stripping, XXE, and NameID manipulation—that enable account takeover, token/credential forgery, and sensitive data exfiltration.