In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1
New SAML editor
Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST). |
| Redesigned SAML Encoder/Decoder |
Enhancement of the SAML attacker
XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.
 |
| DTD Attacker for SAML messages |
Supporting further attacks
We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.Additional functions will follow in later versions.
Currently we are working on XML Encryption attacks.This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.
The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
Related articles
- Hack Tools For Pc
- Pentest Tools Kali Linux
- Hacker Tools 2019
- Hacker Tools Github
- Pentest Tools Nmap
- Hack Tools
- Computer Hacker
- Hacker Tool Kit
- Pentest Tools Subdomain
- Pentest Tools Review
- Hack Tool Apk No Root
- What Is Hacking Tools
- Pentest Tools Open Source
- Install Pentest Tools Ubuntu
- Hacking Tools Windows 10
- Pentest Tools Windows
- Hacker Tools For Mac
- Pentest Tools Windows
- Pentest Box Tools Download
- Android Hack Tools Github
- New Hacker Tools
- Hacking Tools Github
- Nsa Hack Tools Download
- Hacking Tools And Software
- Hacking Apps
- Hacking Tools Online
- Kik Hack Tools
- Install Pentest Tools Ubuntu
- Pentest Tools Linux
- Termux Hacking Tools 2019
- Hacker Tools Github
- Hack Tools For Pc
- Hacker Tools
- Game Hacking
- How To Make Hacking Tools
- Pentest Tools For Android
- Hacker Tools
- Pentest Tools Url Fuzzer
- Nsa Hack Tools
- Hack Tools Download
- Hacker Hardware Tools
- Pentest Tools Alternative
- Pentest Tools For Ubuntu
- Hacking Tools Name
- Hack Tools For Windows
- New Hacker Tools
- Hacking Tools Hardware
- Pentest Tools Find Subdomains
- Underground Hacker Sites
- Pentest Tools
- Pentest Tools Framework
- Top Pentest Tools
- Pentest Tools Alternative
- Hacking Tools Download
- Blackhat Hacker Tools
- Hacker Tools Apk
- Hacker Tools Mac
- Beginner Hacker Tools
- Hacking Tools For Windows 7
- Hacker Tools For Pc
- Pentest Reporting Tools
- Hack Tools For Games
- Hack And Tools
- Underground Hacker Sites
- Hacking Tools For Windows Free Download
- Hacker Tool Kit
- Hack Website Online Tool
- Hacking Tools Mac
- Pentest Tools
- Hack Tools For Mac
- Hacking Tools Software
- Hack Tools For Windows
- Hack Tools 2019
- Hacker Tools Online
- How To Install Pentest Tools In Ubuntu
- Hacker Tools For Pc
- Hacking Tools For Mac
- Pentest Tools Framework
- Hacking App
- Hacker Tools Free Download
- Hacking Tools Pc
- Pentest Tools Kali Linux
- Pentest Tools Port Scanner
- Hack Tools 2019
- Hacker Search Tools
- Hacking Tools For Mac
- Pentest Tools Website
- Physical Pentest Tools
- Pentest Tools For Android
- Pentest Tools
- Pentest Tools Website
- New Hacker Tools
- Pentest Tools For Android
- Github Hacking Tools
- Hacker Tools 2020
- Hacking Tools Hardware
- Pentest Tools Online
- Tools For Hacker
- Hacker Tools Hardware
- Hack Tools
- Hacking Tools Mac
- Hacking Tools For Games
- Hacker Tools For Ios
- Hacking Tools Name
- Hack Tools Github
- Hacking Tools Github
- Hacker Tools For Mac
- How To Hack
- Hacker Tool Kit
- Physical Pentest Tools
- Github Hacking Tools
- Hacker Tools Apk Download
- Game Hacking
- Hacker Tools Mac
- Hacking Tools Hardware
- Pentest Tools Online
- How To Hack
- Pentest Tools Windows
- Pentest Tools Online
- Nsa Hack Tools
- Black Hat Hacker Tools
- Pentest Tools Website
- Top Pentest Tools
- Pentest Reporting Tools
- Hack Tools Online
- Hack Tool Apk No Root
- Hack Tool Apk No Root
- New Hacker Tools
- Hack Tools For Mac
- Pentest Tools Url Fuzzer
- Usb Pentest Tools
- New Hack Tools
- Pentest Tools Review
- Pentest Tools Windows
- Hacking App
- Hacking Tools Mac
- Hack Website Online Tool
- Hacking Tools Name
- Hack Tools For Games
- Usb Pentest Tools
- Hackrf Tools
- Hacker Tools For Ios
- Hacker Tools For Ios
- Pentest Tools Website
- World No 1 Hacker Software
- Hacker Tools List
- Nsa Hacker Tools
- Pentest Tools Free
- Hackers Toolbox
- Hacking App
- Hacker Tools Windows
- Hacking Tools Download
- Hacker Tools Free
- Hack Tools 2019
- Hack Tools For Mac
- Black Hat Hacker Tools
- Hacker Tools Mac
- Beginner Hacker Tools
- Pentest Reporting Tools
- Pentest Tools Review
- Hacking Tools Windows 10
- Github Hacking Tools
- Hak5 Tools
- Free Pentest Tools For Windows
- Bluetooth Hacking Tools Kali
- Pentest Tools For Windows
- Hacking Tools
- Hacks And Tools
- Github Hacking Tools
- Pentest Tools Github
- Kik Hack Tools
- Best Hacking Tools 2020
- Black Hat Hacker Tools
- Hack Tool Apk No Root
- Pentest Tools Nmap
No comments:
Post a Comment