In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1
New SAML editor
Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST). |
| Redesigned SAML Encoder/Decoder |
Enhancement of the SAML attacker
XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.
 |
| DTD Attacker for SAML messages |
Supporting further attacks
We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.Additional functions will follow in later versions.
Currently we are working on XML Encryption attacks.This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.
The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
More articles
- Pentest Tools Free
- Hacking Tools Github
- New Hacker Tools
- Tools 4 Hack
- Pentest Tools
- World No 1 Hacker Software
- Hacking Tools For Pc
- Hacking Apps
- Hacker Hardware Tools
- Hacking Tools 2019
- Hacking Tools Github
- Pentest Box Tools Download
- Pentest Tools Website Vulnerability
- Pentest Box Tools Download
- Pentest Tools List
- Hacking Tools Mac
- Hacker Security Tools
- Blackhat Hacker Tools
- Pentest Tools Bluekeep
- Hacking Tools Windows 10
- Pentest Tools Website
- Hack Tools For Mac
- Hacking Tools For Mac
- Hak5 Tools
- Hacking Tools Software
- Hacker Tools Online
- Hack Apps
- Kik Hack Tools
- Hack Tools Mac
- Hacker Search Tools
- Hacking Tools For Games
- Install Pentest Tools Ubuntu
- Pentest Recon Tools
- Hacking Tools Usb
- Pentest Automation Tools
- How To Hack
- Usb Pentest Tools
- New Hacker Tools
- Hack Tools Download
- Pentest Tools For Ubuntu
- New Hack Tools
- Hack Tools Pc
- Hacker Tool Kit
- Pentest Tools Android
- Hacking Tools Windows
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Download
- Termux Hacking Tools 2019
- Hackers Toolbox
- Pentest Tools Nmap
- Pentest Reporting Tools
- Hacker Tools Github
- Wifi Hacker Tools For Windows
- Hacking Tools 2020
- Hacker Tools Apk Download
- Beginner Hacker Tools
- Hacker Tools Online
- Hacker Tools For Windows
- Hackrf Tools
- Pentest Tools Kali Linux
- Top Pentest Tools
- Hacker Tools Hardware
- Pentest Tools Website
- Hack Tools Download
- Hackrf Tools
- Hacking Tools And Software
- Hacking Tools For Games
- Hack Tools Online
- Hack Tools For Games
- Hacking Tools Kit
- Hacker Hardware Tools
- Hacking Tools And Software
- Hack Tool Apk No Root
- Hack Tool Apk
- What Is Hacking Tools
- Hack Tools For Pc
- Pentest Tools Windows
- Pentest Tools Open Source
- Tools Used For Hacking
- Hack Apps
- Pentest Tools For Android
- Hacker Tools Windows
- Hacking Tools Name
- Pentest Tools Review
- Hacker Tools Mac
- Android Hack Tools Github
- Hacking Tools For Games
- Hacker Tools
- Pentest Tools For Windows
- Hacking Tools For Beginners
- Hack Apps
- Hacker Tools Hardware
- Pentest Tools Bluekeep
- Hacking Tools For Pc
- Nsa Hack Tools Download
- Pentest Tools
- Termux Hacking Tools 2019
- Hacking Tools For Games
- Tools Used For Hacking
- Hacker Tools Apk Download
- Hacker Search Tools
- Pentest Tools Free
- Hack App
- Tools 4 Hack
- Best Hacking Tools 2019
- Hacker Tools Hardware
- Pentest Tools Alternative
- Hacking Tools Free Download
- Pentest Reporting Tools
- Pentest Tools For Ubuntu
- Hacking Tools
- Pentest Tools For Android
- Hackers Toolbox
- Blackhat Hacker Tools
- Install Pentest Tools Ubuntu
- Beginner Hacker Tools
- Bluetooth Hacking Tools Kali
- Hacker Tools Software
- Game Hacking
- Hacker Tools Software
- Hack Tool Apk No Root
- Free Pentest Tools For Windows
- Hacker Tools Windows
- Best Pentesting Tools 2018
- Hack App
- Hacking Tools Github
- Hacking Tools
- Black Hat Hacker Tools
- Hacker Tools Apk Download
- Hacking Tools For Games
- Pentest Tools Website Vulnerability
- Hacks And Tools
- Termux Hacking Tools 2019
- Pentest Box Tools Download
- Hacking Tools Github
- Pentest Recon Tools
- Nsa Hack Tools Download
- Best Pentesting Tools 2018
- Hack Tools Mac
- Hacking Tools 2020
- Best Pentesting Tools 2018
- Hacking Tools Windows 10
- Hack Apps
- Hacker
- Hacking Tools Usb
- Hacker Tools Apk Download
- Pentest Tools Review
- Pentest Tools Review
- Hacker Security Tools
- Hacking Tools Windows
- Hacking Tools 2019
- Pentest Box Tools Download
- Game Hacking
No hay comentarios:
Publicar un comentario