eBooks, Software and Downloads




Support For XXE Attacks In SAML In Our Burp Suite Extension


In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1

New SAML editor

Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST).

Redesigned SAML Encoder/Decoder

Enhancement of the SAML attacker

XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.
The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.

DTD Attacker for SAML messages

Supporting further attacks

We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.

Additional functions will follow in later versions.

Currently we are working on XML Encryption attacks.

This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.

The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
Read more
  1. Hacking Tools For Beginners
  2. Pentest Tools
  3. Pentest Tools Online
  4. Growth Hacker Tools
  5. Hacker Tools For Pc
  6. Hacker Tools Apk Download
  7. Tools Used For Hacking
  8. Hack Tools
  9. Hacking Tools Name
  10. Hacker Hardware Tools
  11. Hack App
  12. Growth Hacker Tools
  13. How To Make Hacking Tools
  14. Pentest Tools Kali Linux
  15. Pentest Tools Website
  16. Hacking Tools For Windows Free Download
  17. Nsa Hack Tools Download
  18. How To Install Pentest Tools In Ubuntu
  19. Hacking Tools Hardware
  20. Hacker Tools
  21. Hacker Search Tools
  22. Hacking Tools For Beginners
  23. Hack Tools
  24. Growth Hacker Tools
  25. Computer Hacker
  26. Pentest Tools Website
  27. Hack Tools Mac
  28. Pentest Tools Subdomain
  29. Tools 4 Hack
  30. Hacker Hardware Tools
  31. Hack Rom Tools
  32. Hacking Tools For Kali Linux
  33. Usb Pentest Tools
  34. Hack Tools For Games
  35. Hacker Security Tools
  36. Pentest Tools Url Fuzzer
  37. Hacker Tools 2019
  38. Hack Tools For Ubuntu
  39. Ethical Hacker Tools
  40. How To Install Pentest Tools In Ubuntu
  41. Pentest Tools Free
  42. Hacking Tools For Windows Free Download
  43. Hack Tool Apk
  44. Hack Tools Mac
  45. Pentest Tools Bluekeep
  46. Tools 4 Hack
  47. Hack Tools Pc
  48. Hack Tools Online
  49. Hacking Tools Hardware
  50. Hacking Tools Software
  51. Hacker Tools Linux
  52. Hacker Tools Free Download
  53. Pentest Tools Website Vulnerability
  54. Hacking Tools For Kali Linux
  55. Hacking Tools 2020
  56. Free Pentest Tools For Windows
  57. Hack Tools 2019
  58. Hacker Tools Apk
  59. Hacker Tools Software
  60. Ethical Hacker Tools
  61. Hack Tools
  62. Hacking Tools Hardware
  63. Pentest Tools For Android
  64. Hack Tools Mac
  65. World No 1 Hacker Software
  66. Growth Hacker Tools
  67. Hack Tools
  68. Hacking Tools Online
  69. Hacker Tools Apk Download
  70. Hacker Tools Free Download
  71. Tools 4 Hack
  72. Pentest Tools Github
  73. Pentest Tools Subdomain
  74. Tools 4 Hack
  75. Hacking Tools For Windows Free Download
  76. New Hacker Tools
  77. Termux Hacking Tools 2019
  78. Hacker
  79. Hack Tools For Pc
  80. Hacking Tools For Windows Free Download
  81. Hacker Tools Github
  82. Kik Hack Tools
  83. Pentest Tools For Ubuntu
  84. Hack Apps
  85. Hacking Tools For Games
  86. Hack Tools Online
  87. Pentest Tools For Mac
  88. Hacking Tools For Pc
  89. Pentest Reporting Tools
  90. Hacking Tools For Windows
  91. Pentest Tools Open Source
  92. Pentest Tools Subdomain
  93. Hacking Tools Kit
  94. Hack Tools Mac
  95. Hacker
  96. How To Hack
  97. Pentest Tools For Android
  98. Hack Tool Apk
  99. Pentest Tools Online
  100. Pentest Tools Github
  101. Pentest Tools Android
  102. Hacking Tools For Beginners
  103. Hack Tools Mac
  104. Hacker Security Tools
  105. Hacking Tools For Kali Linux
  106. Pentest Tools Port Scanner
  107. Blackhat Hacker Tools
  108. Kik Hack Tools
  109. Hacker Tools Windows
  110. Wifi Hacker Tools For Windows
  111. Top Pentest Tools
  112. Hacking Tools Windows
  113. Hacker Tools List
  114. Hacker Tools Windows
  115. Hacker Tools Mac
  116. Pentest Tools For Windows
  117. Hacker Tools Online
  118. Hacking Tools For Mac
  119. Hack Website Online Tool
  120. Hacking Tools For Windows
  121. Nsa Hacker Tools
  122. Hacking Tools For Windows 7
  123. Hacker Tools List
  124. Hacking Tools Github
  125. Pentest Tools Free
  126. Hacking Tools And Software
  127. Hacker Security Tools
  128. Pentest Tools For Android
  129. Hacking Tools Online
  130. Hacker Tools For Pc
  131. Install Pentest Tools Ubuntu
  132. Hacks And Tools
  133. Hack Tools For Mac
Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Enhance Your Financial Intelligence

Enhance Your Financial Intelligence

Sign Up For This Life Changing Report

First Name:
Email address:

FAITH FUEL

Loading...