In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1
New SAML editor
Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST). |
| Redesigned SAML Encoder/Decoder |
Enhancement of the SAML attacker
XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.
 |
| DTD Attacker for SAML messages |
Supporting further attacks
We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.Additional functions will follow in later versions.
Currently we are working on XML Encryption attacks.This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.
The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
Related articles
- Hacking Tools Mac
- Hacking Tools Github
- Hacker Tools Online
- Hacker Tools Software
- Hacker Tools For Mac
- Blackhat Hacker Tools
- Github Hacking Tools
- Hak5 Tools
- Install Pentest Tools Ubuntu
- Pentest Tools Linux
- Hacker Tools Github
- Usb Pentest Tools
- Hack Tools
- Hacking Tools Name
- Pentest Box Tools Download
- Android Hack Tools Github
- Growth Hacker Tools
- Pentest Tools Framework
- Hacking Tools Name
- Pentest Box Tools Download
- Pentest Tools Android
- Hacking Tools Github
- Hack Tools Mac
- Hacker Tools Free
- Hacker Tools Online
- Hacker Tools Github
- Computer Hacker
- Hacker Hardware Tools
- Hackers Toolbox
- Hacking Tools Windows 10
- New Hacker Tools
- Hack App
- Hackers Toolbox
- Pentest Tools Subdomain
- Hack Apps
- Hacker Tools Hardware
- What Are Hacking Tools
- What Is Hacking Tools
- Tools For Hacker
- Hacking Tools Github
- Tools For Hacker
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Windows 10
- Hack Tools For Ubuntu
- Install Pentest Tools Ubuntu
- Install Pentest Tools Ubuntu
- Pentest Tools For Ubuntu
- Hack Tool Apk No Root
- Pentest Tools List
- Pentest Tools For Ubuntu
- Hacking Tools Pc
- Pentest Tools Kali Linux
- Pentest Recon Tools
- Black Hat Hacker Tools
- Pentest Tools Website
- Kik Hack Tools
- Tools Used For Hacking
- Hack Tools For Games
- Nsa Hack Tools Download
- Hack And Tools
- Pentest Tools Open Source
- Pentest Automation Tools
- Hacker Tools Windows
- Hacker Tools Online
- Hacker Tools Free
- Hacking Tools For Beginners
- Hacker Tools Linux
- Hack Tools Mac
- Hacking Tools For Pc
- Pentest Tools Alternative
- Hack And Tools
- Hacker Tools For Ios
- Hacker Tools Github
- Hack Tools 2019
- Hacker Tools For Mac
- Hacking Tools Online
- Nsa Hack Tools Download
- Beginner Hacker Tools
- Easy Hack Tools
- Pentest Tools Online
- Pentest Tools For Android
- Hacker Tools For Windows
- Hacker Tools For Windows
- Hacker Tools For Ios
- How To Hack
- Hack Tools For Games
- Hacking Tools Github
- Hacking Tools Download
- Physical Pentest Tools
- Hack Tools For Ubuntu
- Tools For Hacker
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Windows 10
- Hack Tools
- Hacking Tools For Beginners
- Pentest Tools Github
- Hacking Tools 2019
- Pentest Tools Tcp Port Scanner
- Hacks And Tools
- Hacking Tools Hardware
- Hacking Tools 2020
- Hacking Tools Usb
- Ethical Hacker Tools
- Hackrf Tools
- New Hack Tools
- Hacker Tools 2019
- Hacker Tools Apk Download
- Hackrf Tools
- Pentest Tools Android
- Pentest Tools Tcp Port Scanner
- Hacking Tools For Games
- Hack Tools Online
- Github Hacking Tools
- Termux Hacking Tools 2019
- How To Make Hacking Tools
- Pentest Tools List
- Pentest Tools For Ubuntu
- Pentest Tools Alternative
- Hacking Tools Name
- Hack Tools
- Hack Tools For Mac
- Hack Tools Mac
- Pentest Reporting Tools
- Hack Tools Github
- Hacking Tools For Mac
- Nsa Hack Tools
- Hacking Tools Online
- Tools 4 Hack
- Nsa Hack Tools
- Hack Tools For Pc
- Hack Apps
- Hacking Tools Free Download
- Hacker Tools Hardware
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Linux
- Hacker Tools 2019
- Pentest Reporting Tools
- Hacker Tools Github
- Pentest Tools Free
- Hacker Tools List
- Pentest Tools Free
- Hacking Tools For Windows
- Hack Tools 2019
- Hacking Tools For Mac
- Pentest Tools List
- Hacker Tools List
- Pentest Tools List
- Hack And Tools
- Pentest Reporting Tools
- Hacker Tools Apk Download
- Nsa Hack Tools Download
- Hacker Tool Kit
- Pentest Tools Linux
- Pentest Tools For Ubuntu
- Hacking Tools Github
- Beginner Hacker Tools
No comments:
Post a Comment