In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1
New SAML editor
Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST). |
| Redesigned SAML Encoder/Decoder |
Enhancement of the SAML attacker
XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.
 |
| DTD Attacker for SAML messages |
Supporting further attacks
We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.Additional functions will follow in later versions.
Currently we are working on XML Encryption attacks.This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.
The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
- Tools 4 Hack
- Hacking Tools 2020
- Physical Pentest Tools
- Hack Tools 2019
- Hacking App
- Hacker Tools Free Download
- Pentest Tools For Android
- Pentest Tools
- Hacking Tools For Windows Free Download
- New Hack Tools
- Game Hacking
- Black Hat Hacker Tools
- Hacking Tools Free Download
- Pentest Tools Website Vulnerability
- Hacker Tools Online
- Kik Hack Tools
- Hacker Tools Linux
- Hacking Tools For Mac
- Hacker
- Wifi Hacker Tools For Windows
- Hacker Tools Online
- Hak5 Tools
- Pentest Tools Online
- Best Hacking Tools 2020
- Game Hacking
- Hack Apps
- Hacker Tools Apk Download
- Hack Tools For Pc
- Hack Apps
- Pentest Tools Kali Linux
- Hacks And Tools
- Hack Tools 2019
- Nsa Hack Tools Download
- Hack Tools Mac
- Nsa Hack Tools Download
- Hack App
- What Are Hacking Tools
- Hack Tool Apk
- Termux Hacking Tools 2019
- Hacking Tools Mac
- Hacker Tool Kit
- Underground Hacker Sites
- Hack App
- Hack Tools Download
- Hacking Tools Software
- Hacker Tools 2020
- New Hack Tools
- Pentest Reporting Tools
- Hak5 Tools
- Pentest Tools Website Vulnerability
- Pentest Tools Free
- Hack Tools Download
- Pentest Tools For Android
- Hack Tool Apk
- Hacker Tools Hardware
- Black Hat Hacker Tools
- Wifi Hacker Tools For Windows
- Hack Tool Apk No Root
- Pentest Tools Alternative
- Pentest Tools Find Subdomains
- Hacking Tools For Windows 7
- Blackhat Hacker Tools
- Hacking Tools For Pc
- Pentest Tools Open Source
- Pentest Tools Subdomain
- Free Pentest Tools For Windows
- Hacker Tools 2020
- Ethical Hacker Tools
- Hack Website Online Tool
- Hacker Tools For Mac
- Hacking Tools Github
- Hacker Tools Hardware
- Hack Tools For Windows
- Hack App
- Hacking Tools For Windows Free Download
- Hacking Tools For Beginners
- Hack Tool Apk
- Hacking Tools Hardware
- Tools For Hacker
- Pentest Tools Port Scanner
- Ethical Hacker Tools
- Hack Tools For Pc
- Top Pentest Tools
- Hack Tool Apk No Root
- Hacking Tools And Software
- Pentest Tools For Windows
- Pentest Tools Alternative
- Hacker Tools Apk Download
- Game Hacking
- Best Pentesting Tools 2018
- Termux Hacking Tools 2019
- Tools For Hacker
- Hack Tool Apk
- Pentest Tools Find Subdomains
- Pentest Tools Find Subdomains
- Pentest Box Tools Download
- Pentest Tools Nmap
- Hacker Hardware Tools
- Hacking Tools Mac
- Hack Tools
- Easy Hack Tools
- Hacking Tools 2019
- Easy Hack Tools
- Hack Tools For Mac
- Hack Tools Online
- Pentest Tools Alternative
- Pentest Tools Download
- Pentest Tools Framework
- Best Hacking Tools 2020
- Hacking Apps
- Hacker Tools
- Hack Tools For Windows
- Hacking Tools For Windows Free Download
- Hack Tools
- Pentest Tools Website Vulnerability
- Hack Tools Download
- Hacker Techniques Tools And Incident Handling
- Install Pentest Tools Ubuntu
- Pentest Tools Open Source
- Hacker Tools Linux
- Hacker
- Nsa Hacker Tools
- Pentest Tools Windows
- Hack Website Online Tool
- Pentest Tools Download
- Hacker Tools Apk Download
- Hacker Tools Github
- Hacker Tools Free Download
- Pentest Tools Open Source
- Hack Tools For Mac
- Pentest Tools Bluekeep
- Pentest Tools Find Subdomains
- Ethical Hacker Tools
- Hack Tools Mac
- Pentest Tools Subdomain
- Hackers Toolbox
- Install Pentest Tools Ubuntu
- Hacker
- Hack Tools Github
- Pentest Tools Alternative
- Free Pentest Tools For Windows
- Hacking Tools For Windows 7
- Hacker Tools Free Download
- Free Pentest Tools For Windows
- Tools For Hacker
- Bluetooth Hacking Tools Kali
- Tools For Hacker
- Install Pentest Tools Ubuntu
- Hacker Tools Apk
- Pentest Tools Nmap
- Kik Hack Tools
- Hacker Search Tools
- Hacking Tools Online
- How To Hack
- Pentest Tools Website
- Pentest Tools Free
- Hacking Tools Download
- Hacks And Tools
- Hacking Apps
- Pentest Automation Tools
- Hacking Tools Online
- Pentest Tools Linux
- Hacker Tools Software
No comments:
Post a Comment