In this post we present the new version of the Burp Suite extension EsPReSSO - Extension for Processing and Recognition of Single Sign-On Protocols. A DTD attacker was implemented on SAML services that was based on the DTD Cheat Sheet by the Chair for Network and Data Security (https://web-in-security.blogspot.de/2016/03/xxe-cheat-sheet.html). In addition, many fixes were added and a new SAML editor was merged. You can find the newest version release here: https://github.com/RUB-NDS/BurpSSOExtension/releases/tag/v3.1
New SAML editor
Before the new release, EsPReSSO had a simple SAML editor where the decoded SAML messages could be modified by the user. We extended the SAML editor so that the user has the possibility to define the encoding of the SAML message and to select their HTTP binding (HTTP-GET or HTTP-POST).Redesigned SAML Encoder/Decoder |
Enhancement of the SAML attacker
XML Signature Wrapping and XML Signature Faking attacks have already been part of the previous EsPReSSO version. Now the user can also perform DTD attacks! The user can select from 18 different attack vectors and manually refine them all before applying the change to the original message. Additional attack vectors can also be added by extending the XML config file of the DTD attacker.The DTD attacker can also be started in a fully automated mode. This functionality is integrated in the BurpSuite Intruder.
DTD Attacker for SAML messages |
Supporting further attacks
We implemented a CertificateViewer which extracts and decodes the certificates contained within the SAML tokens. In addition, a user interface for executing SignatureExclusion attack on SAML has been implemented.Additional functions will follow in later versions.
Currently we are working on XML Encryption attacks.This is a combined work from Nurullah Erinola, Nils Engelbertz, David Herring, Juraj Somorovsky, and Vladislav Mladenov.
The research was supported by the European Commission through the FutureTrust project (grant 700542-Future-Trust-H2020-DS-2015-1).
Related word
- Hackers Toolbox
- Hacking Apps
- Pentest Tools List
- Hacker Tools Windows
- Hack Tools Download
- Pentest Tools Find Subdomains
- Hack App
- Pentest Tools Website Vulnerability
- Pentest Tools For Android
- Beginner Hacker Tools
- Free Pentest Tools For Windows
- Pentest Tools Tcp Port Scanner
- Hacking Tools For Windows 7
- Pentest Tools Website
- Hack Tools Github
- Pentest Tools For Mac
- Pentest Tools Nmap
- Pentest Tools Online
- Hacking Tools Usb
- Hack Tools For Games
- Pentest Tools Website Vulnerability
- Tools Used For Hacking
- Hack Apps
- Hacker Tools Free
- Hacker Tools Mac
- Pentest Tools Open Source
- Hacking Tools Windows 10
- Underground Hacker Sites
- Hacker Tools 2020
- Beginner Hacker Tools
- Pentest Tools Website Vulnerability
- Pentest Tools Android
- Hacking Tools For Windows 7
- How To Install Pentest Tools In Ubuntu
- Hacking Apps
- Pentest Tools Kali Linux
- Pentest Tools For Windows
- How To Make Hacking Tools
- Nsa Hacker Tools
- Hacking Tools For Mac
- Hacker Tools For Windows
- Hacking Tools For Games
- Underground Hacker Sites
- Hak5 Tools
- Hacker Tools Free Download
- Hacking Tools Software
- Pentest Tools Subdomain
- Hacker Tools List
- Hack Tools Download
- Pentest Tools Website Vulnerability
- Pentest Tools Find Subdomains
- Nsa Hacker Tools
- Hacking App
- Hacker Search Tools
- Hacking Tools Usb
- Top Pentest Tools
- Physical Pentest Tools
- Hacking Tools For Kali Linux
- Hacking Tools 2020
- Pentest Tools For Mac
- Hacker Tools Online
- Hacker Tools Online
- Pentest Tools For Windows
- Hacking Tools For Windows Free Download
- Wifi Hacker Tools For Windows
- What Are Hacking Tools
- Hacker Tools List
- Pentest Tools Review
- Pentest Tools For Mac
- Top Pentest Tools
- Hacker Security Tools
- Hackers Toolbox
- Hacker Tools Windows
- Hacking Tools For Windows 7
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Windows
- Pentest Tools Port Scanner
- Pentest Tools Kali Linux
- Hack Tools 2019
- Kik Hack Tools
- Pentest Tools Port Scanner
- Hacking Tools Mac
- Hacking Tools Free Download
- Physical Pentest Tools
- Kik Hack Tools
- Pentest Reporting Tools
- Hacking Tools Windows
- Blackhat Hacker Tools
- Easy Hack Tools
- Hack And Tools
- Pentest Automation Tools
- Pentest Tools Tcp Port Scanner
- Hacking Tools For Windows
- Pentest Tools Tcp Port Scanner
- Hack Tools 2019
- Hacker Tools Online
- Free Pentest Tools For Windows
- Pentest Tools Alternative
- Pentest Tools Port Scanner
- Hack Tools Online
- Pentest Tools Port Scanner
- Hack Apps
- Hacker Search Tools
- Wifi Hacker Tools For Windows
- Hacking Tools Download
- Pentest Tools Website Vulnerability
- Hak5 Tools
- Install Pentest Tools Ubuntu
- What Are Hacking Tools
- Hacking Tools For Beginners
- Growth Hacker Tools
- How To Hack
- Hack Apps
- Hacker Tools Mac
- Kik Hack Tools
- How To Install Pentest Tools In Ubuntu
- Tools 4 Hack
- Pentest Tools Alternative
- Computer Hacker
- Hacker Tools For Windows
- Hacker Tools Hardware
- Hack Tools Online
- New Hacker Tools
0 komentar:
Posting Komentar