In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1
New SAML editor
Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST). |
| Redesigned SAML Encoder/Decoder |
Enhancement of the SAML attacker
XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.
 |
| DTD Attacker for SAML messages |
Supporting further attacks
We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.Additional functions will follow in later versions.
Currently we are working on XML Encryption attacks.This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.
The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
- Hacker Tools For Windows
- Hacker Tools Mac
- Install Pentest Tools Ubuntu
- Pentest Tools Subdomain
- Hacks And Tools
- Hacker Tools Apk Download
- Hacking Tools Pc
- Pentest Tools Online
- Pentest Tools
- Hackers Toolbox
- New Hack Tools
- Hacker Tools For Mac
- How To Install Pentest Tools In Ubuntu
- Hack Tool Apk
- Top Pentest Tools
- Tools 4 Hack
- Tools Used For Hacking
- Wifi Hacker Tools For Windows
- Pentest Reporting Tools
- Best Hacking Tools 2019
- Pentest Tools For Windows
- Hacker Tools Linux
- Hacker Tools For Mac
- Pentest Tools Free
- Hacking Tools And Software
- Underground Hacker Sites
- Nsa Hack Tools
- Android Hack Tools Github
- Hack Tool Apk
- Hak5 Tools
- Nsa Hacker Tools
- Wifi Hacker Tools For Windows
- Hack Tools
- What Are Hacking Tools
- Top Pentest Tools
- Pentest Tools For Android
- Pentest Box Tools Download
- Best Hacking Tools 2019
- Underground Hacker Sites
- Hacker Hardware Tools
- Tools For Hacker
- Hacker Tools For Mac
- Hacks And Tools
- Hacks And Tools
- Hack Tools For Ubuntu
- New Hack Tools
- How To Make Hacking Tools
- Best Pentesting Tools 2018
- Hack Tool Apk No Root
- Hacking Tools 2019
- Pentest Tools Port Scanner
- Pentest Tools Free
- Hacker Tools Free Download
- Hack Tools Online
- Pentest Tools Free
- Pentest Tools Alternative
- Tools Used For Hacking
- Pentest Box Tools Download
- Hackers Toolbox
- Hacking Tools Usb
- Pentest Tools Android
- Pentest Tools For Ubuntu
- Hacker Hardware Tools
- Hacking Tools Github
- Hack Tools
- Hack App
- Pentest Tools Url Fuzzer
- Top Pentest Tools
- Kik Hack Tools
- Hacking Tools For Kali Linux
- Hacking Tools 2019
- Hacking Tools Mac
- Hacking Tools Usb
- Pentest Tools Website Vulnerability
- Kik Hack Tools
- Hacking Tools Free Download
- Hacking Tools Github
- Pentest Tools Port Scanner
- Game Hacking
- Pentest Tools Website
- Pentest Tools List
- Blackhat Hacker Tools
- Pentest Tools Review
No comments:
Post a Comment