Compass Security Blog

Offensive Defense

SAMLRequest Support for SAML Raider

About a year ago, the Burp extension SAML Raider [0] was released as a result of a bachelor thesis [1] in collaboration with Compass Security. This Burp extension automates most of the steps, which are necessary to test a SAML single sign-on process and perform according attacks. With SAML Raider, an authentication bypass vulnerability in a Service Provider was found [2]. More information is available in our first blog post about SAML Raider here: SAML Burp Extension [5].

We did some bugfixing and added new features to SAML Raider in the past year. In version 1.2.0, we introduced the new ability to intercept and edit SAMLRequest Messages. The current version is 1.2.1, which is available here [3] on GitHub. It will also be in the official Burp Suite BApp store [4] shortly.

Decode SAMLRequest Message

There are several Burp Extensions [6] like SAML ReQuest [7], SAML Editor or SAML Encoder which allows you to edit SAMLRequests. We also got asked [8] if this feature is supported in SAML Raider, which was not the case. Because this would be a nice feature, we implemented it in version 1.2.0.

What is a SAMLRequest?

A SAMLRequest is the SAML message, which is sent from the user (browser) to the Identity Provider, to “ask” for an assertion. Usually, the SAMLRequest is sent to the Identity Provider, which will respond with a login form to ask for the credentials. If the login was successful, the SAMLResponse is sent back to the client, which is then forwarded to the Service Provider.

A SAMLRequest is sent via POST to the Identity Provider and looks like this:

samlrequest

So, it’s quite clear, that this is not so practical for quick editing and testing.

SAMLRequest in SAML Raider

SAML Raider is now able to properly decode a SAMLRequest and display it in the SAML Raider tab:

samlrequest_samlraider

Now it is very easy to modify the SAMLRequest. The SAMLRequest is automatically encoded back in it’s original format and forwarded to the target, if the Forward button is clicked.

But why do you need to view/edit the SAMLRequest? With this new feature, you can read what the client is sending exactly to the Identity Provider and perform fuzzing or testing the Identity Provider itself.

So, if you have any questions, issues or features requests, don’t hesitate to contact us or open an Issue on GitHub [0].

References

12 Comments

  1. Hi,

    I would like to know how the edited SAML response is resigned with IdP’s private key. I have imported the Private Key but not able to view the imported Private Key in XML Signature (Message editor).

    • Emanuel Duss

      May 30, 2018 at 08:06

      You have to import the certificate as well. The private key alone is not sufficient to sign the assertion.

      1) Did you also import the certificate?
      2) Did you import the private key when you have selected the certificate?
      3) Is the “Private Key” checkbox enabled in the Certificate tab?
      4) Can you send a screenshot of the imported certificate and the Private Key checkbox and from the certificate drop down in the SAML message editor?

  2. Hi Emanuel Duss,

    Thanks for your quick response.

    Since it is an evaluation copy, Private Key check box is disabled in Burp Suite. Is there a way you can help us to enable this in evaluation copy . In case if it is not possible in evaluation version can you please share any email ID to reach out for professional help for tool based on that we will procure this tool.

    • Emanuel Duss

      May 30, 2018 at 13:43

      Hi

      There is no difference in SAML Raider if you have the Burp Suite professional or the free version.

      Please provide a screenshot of the Certificate tab where you have imported the certificate AND the private key.

      • Hi Emanuel Duss ,

        Thanks for your Quick response. Now I am able to see the Imported certificate in Message editor. I have tried importing the certificate after accessing the url, hence I was not able to see the imported certificate.

        I have another Query. While importing PROD Private key I am getting “Error importing private key.(malformed sequence in RSA private key)”. I have copied the Private key separately in a .pem file and tried to import it. Can you please help on this.

  3. Hi Emanuel Duss ,

    It worked… Thank you so much…

    One more doubt.
    Can we use SAML raider for testing Azure AD on boarded applications.?

    • Emanuel Duss

      June 14, 2018 at 13:03

      Hi Anuja

      Cool. I’m glad it worked in the end.

      If the application uses SAML, you can use SAMLRaider for that, independent on the underlying software, because SAML is an open standard.

      Happy Hacking 😉

      Emanuel

  4. Emanuel Duss

    June 25, 2018 at 16:26

    Hi Anuja

    What logs do you mean? The plugin output and errors are shown in the dialog when you load the extension.

    Best regards,
    Emanuel

    • Hi Emanuel Duss,

      I would like to get the error logs. For example, for the first test case I have tried applying XSW1 attack and for the next time I may apply XSW2 attack. Is there any chance to see these logs ?? So that i can attach these logs in test case document instead of taking screen shots of error pages.

      Regards,
      Anuja

      • Emanuel Duss

        June 26, 2018 at 11:04

        Hi Anuja

        No, the results are not logged. You have to save it for yourself.

        Best regards,
        Emanuel

Leave a Reply

Your email address will not be published. Required fields are marked *