In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1
New SAML editor
Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST). |
| Redesigned SAML Encoder/Decoder |
Enhancement of the SAML attacker
XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.
 |
| DTD Attacker for SAML messages |
Supporting further attacks
We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.Additional functions will follow in later versions.
Currently we are working on XML Encryption attacks.This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.
The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
More information
- Nsa Hack Tools Download
- Pentest Tools For Ubuntu
- Hack Tools 2019
- Pentest Tools Free
- Hacker Tools 2019
- Hacker Tools For Mac
- Best Hacking Tools 2020
- Hacker Tools For Windows
- How To Make Hacking Tools
- Pentest Recon Tools
- Hack Apps
- Hacker Tools Apk
- Hacking Tools Windows 10
- Pentest Tools Download
- How To Install Pentest Tools In Ubuntu
- Install Pentest Tools Ubuntu
- Pentest Tools Find Subdomains
- Hack Tools
- Hack Tool Apk
- Hacker Tools Apk
- Hack Tools For Games
- Hacker Tools Hardware
- Pentest Tools
- Hack And Tools
- Hacker Tools Linux
- Nsa Hacker Tools
- Pentest Automation Tools
- Hacking Tools 2020
- Pentest Tools Alternative
- Tools 4 Hack
- Hack Tools For Mac
- Pentest Tools Apk
- Hacker Tool Kit
- Hack Tools
- Hacking Tools Software
- Best Hacking Tools 2020
- Pentest Tools Alternative
- Hack Tools Pc
- Nsa Hack Tools
- Hacker Tools
- Pentest Tools Find Subdomains
- Hackers Toolbox
- Pentest Tools Download
- Hacker Security Tools
- Pentest Tools Kali Linux
- Pentest Tools Subdomain
- Hack Tools Mac
- Ethical Hacker Tools
- Hacker Tools Github
- Hack Tools For Ubuntu
- Github Hacking Tools
- Ethical Hacker Tools
- Best Hacking Tools 2019
- Nsa Hack Tools Download
- Nsa Hacker Tools
- Hacker Tools Apk
- Free Pentest Tools For Windows
- Hacking Tools For Pc
- Hacking Tools Pc
- Pentest Tools Subdomain
- Hacking Tools For Kali Linux
- Best Pentesting Tools 2018
- Hacks And Tools
- Hack Tools Pc
- Android Hack Tools Github
- Pentest Tools Windows
- Hack Tools Github
- Hacker
- Pentest Tools Github
- Hack Tools Pc
- Hack Tools 2019
- Easy Hack Tools
- Hacker Search Tools
- Pentest Tools Url Fuzzer
- Pentest Tools Apk
- Pentest Tools Download
- Hacker Tools Windows
- Hacking Tools Free Download
- Pentest Tools Download
- Hacking Tools For Beginners
- Hack Tools For Pc
- Hacking Tools For Beginners
- Hacking Tools 2020
- Nsa Hack Tools Download
- Hacker Tools Apk Download
- Pentest Tools For Windows
- Hacker Tools Mac
- Hacker Tool Kit
- Hack Tools Github
- Hack Tools Online
- Pentest Tools Find Subdomains
- Hacker Tools Github
- Hacking Tools Hardware
- Hacker Tools Apk Download
- How To Hack
- Pentest Tools For Ubuntu
- Hacker Hardware Tools
- Blackhat Hacker Tools
- Hacker Tools Apk Download
- Beginner Hacker Tools
- Hak5 Tools
- Pentest Tools For Windows
- Hacker Tools Software
- Nsa Hacker Tools
- How To Hack
- Hacker Tools For Pc
- Hacker Techniques Tools And Incident Handling
- Hack Tools Online
- Hack Tools Online
- Hack Tools For Pc
- Hacking Tools Mac
- Pentest Box Tools Download
- How To Make Hacking Tools
- What Are Hacking Tools
- Hacker Techniques Tools And Incident Handling
- Hack Tool Apk No Root
- Wifi Hacker Tools For Windows
- Hackrf Tools
- Pentest Tools
- Hacker Tools 2019
- Hacking Tools Download
- Hacking Tools For Pc
- Hack Website Online Tool
- Install Pentest Tools Ubuntu
- Hacker Tools Free Download
- Hacker Tools Free Download
- Hacking Tools 2019
- Pentest Tools For Windows
- Pentest Tools For Ubuntu
- What Are Hacking Tools
- Pentest Tools Alternative
- Growth Hacker Tools
- Nsa Hack Tools
- Hack Tools Online
- Hacking App
- Hacking Tools For Pc
- Hacking Tools For Games
- Nsa Hacker Tools
- Hacker Tools Free Download
- Pentest Tools Kali Linux
- Hack And Tools
- Ethical Hacker Tools
- Pentest Tools Bluekeep
- Hacker Tools Hardware
- Hacker Tools Software
- Hacker Tools Github
- Pentest Tools Subdomain
- Pentest Tools For Windows
- Physical Pentest Tools
- Top Pentest Tools
- Hacking Tools 2019
- Pentest Tools Find Subdomains
- Pentest Tools Free
- Nsa Hack Tools
- Pentest Tools Review
- Hacking Tools And Software
- Hacker Tools Linux
- Physical Pentest Tools
- New Hacker Tools
- New Hacker Tools
- Pentest Tools For Windows
- Pentest Tools For Windows
- Hacker Hardware Tools
- Pentest Tools Subdomain
- Pentest Tools Port Scanner
- Hacker Security Tools
- Nsa Hacker Tools
- Hacking Tools Usb
- New Hack Tools
- Pentest Tools Open Source
- Hacking Tools For Pc
- Nsa Hacker Tools
- Pentest Tools Nmap
- Ethical Hacker Tools
- Game Hacking
- Tools For Hacker
- Hacking Tools Kit
No comments:
Post a Comment