About a year ago, the Burp extension SAML Raider  was released as a result of a bachelor thesis  in collaboration with Compass Security. This Burp extension automates most of the steps, which are necessary to test a SAML single sign-on process and perform according attacks. With SAML Raider, an authentication bypass vulnerability in a Service Provider was found . More information is available in our first blog post about SAML Raider here: SAML Burp Extension .
We did some bugfixing and added new features to SAML Raider in the past year. In version 1.2.0, we introduced the new ability to intercept and edit SAMLRequest Messages. The current version is 1.2.1, which is available here  on GitHub. It will also be in the official Burp Suite BApp store  shortly.
Decode SAMLRequest Message
There are several Burp Extensions  like SAML ReQuest , SAML Editor or SAML Encoder which allows you to edit SAMLRequests. We also got asked  if this feature is supported in SAML Raider, which was not the case. Because this would be a nice feature, we implemented it in version 1.2.0.
What is a SAMLRequest?
A SAMLRequest is the SAML message, which is sent from the user (browser) to the Identity Provider, to “ask” for an assertion. Usually, the SAMLRequest is sent to the Identity Provider, which will respond with a login form to ask for the credentials. If the login was successful, the SAMLResponse is sent back to the client, which is then forwarded to the Service Provider.
A SAMLRequest is sent via POST to the Identity Provider and looks like this:
So, it’s quite clear, that this is not so practical for quick editing and testing.
SAMLRequest in SAML Raider
SAML Raider is now able to properly decode a SAMLRequest and display it in the SAML Raider tab:
Now it is very easy to modify the SAMLRequest. The SAMLRequest is automatically encoded back in it’s original format and forwarded to the target, if the Forward button is clicked.
But why do you need to view/edit the SAMLRequest? With this new feature, you can read what the client is sending exactly to the Identity Provider and perform fuzzing or testing the Identity Provider itself.
So, if you have any questions, issues or features requests, don’t hesitate to contact us or open an Issue on GitHub .
-  SAMLRaider on GitHub: https://github.com/SAMLRaider/SAMLRaider
-  Bachelor Thesis: https://eprints.hsr.ch/464/1/eprints_BA_SAML2_Burp_Plugin_SAML_Raider_eduss_rbischof.pdf
-  SAML Service Provider Authentication Bypass: https://blog.compass-security.com/2015/09/saml-sp-authentication-bypass-vulnerability-in-nevisauth/
-  SAML Raider Releases: https://github.com/SAMLRaider/SAMLRaider/releases
-  SAML Raider in the Burp BApp Store: https://portswigger.net/bappstore/ShowBappDetails.aspx?uuid=c61cfa893bb14db4b01775554f7b802e
-  Blogpost about SAML Raider: https://blog.compass-security.com/2015/07/saml-burp-extension/
-  Fuzzing SAML: http://www.sjoerdlangkemper.nl/2016/07/28/fuzzing-saml-with-samlrequest/
-  SAMLReQuest Burp Extension: https://www.insinuator.net/2016/06/samlrequest-burpsuite-extention/
-  Blog comment asks for SAMLRequest feature: https://blog.compass-security.com/2015/07/saml-burp-extension/#comment-322651
I would like to know how the edited SAML response is resigned with IdP’s private key. I have imported the Private Key but not able to view the imported Private Key in XML Signature (Message editor).
You have to import the certificate as well. The private key alone is not sufficient to sign the assertion.
1) Did you also import the certificate?
2) Did you import the private key when you have selected the certificate?
3) Is the “Private Key” checkbox enabled in the Certificate tab?
4) Can you send a screenshot of the imported certificate and the Private Key checkbox and from the certificate drop down in the SAML message editor?
Hi Emanuel Duss,
Thanks for your quick response.
Since it is an evaluation copy, Private Key check box is disabled in Burp Suite. Is there a way you can help us to enable this in evaluation copy . In case if it is not possible in evaluation version can you please share any email ID to reach out for professional help for tool based on that we will procure this tool.
There is no difference in SAML Raider if you have the Burp Suite professional or the free version.
Please provide a screenshot of the Certificate tab where you have imported the certificate AND the private key.
Hi Emanuel Duss ,
Thanks for your Quick response. Now I am able to see the Imported certificate in Message editor. I have tried importing the certificate after accessing the url, hence I was not able to see the imported certificate.
I have another Query. While importing PROD Private key I am getting “Error importing private key.(malformed sequence in RSA private key)”. I have copied the Private key separately in a .pem file and tried to import it. Can you please help on this.
The private key has to be either in the in DER format or traditional RSA in PEM format.
Can you convert it to the PEM format using openssl (see examples in the manpage https://www.mkssoftware.com/docs/man1/openssl_rsa.1.asp).
Hi Emanuel Duss ,
It worked… Thank you so much…
One more doubt.
Can we use SAML raider for testing Azure AD on boarded applications.?
Cool. I’m glad it worked in the end.
If the application uses SAML, you can use SAMLRaider for that, independent on the underlying software, because SAML is an open standard.
Happy Hacking ;-)
Hi Emanuel Duss,
Do we have any option to view the logs in SAML Raider?
What logs do you mean? The plugin output and errors are shown in the dialog when you load the extension.
Hi Emanuel Duss,
I would like to get the error logs. For example, for the first test case I have tried applying XSW1 attack and for the next time I may apply XSW2 attack. Is there any chance to see these logs ?? So that i can attach these logs in test case document instead of taking screen shots of error pages.
No, the results are not logged. You have to save it for yourself.
Thank you for making this tool. Unfortunately I cannot quite get it to work. I want to intercept SAML messages, edit them, and resign them. I did as you suggested in the other comments (import certificiate, import private key in DER format) but “private key” is still greyed out (see https://ibb.co/HTq4rfh). What am I doing wrong?
PS: I start with a .jks file and get certificate and private key from that.
Your’re welcome :)
I assume the private key is in the wrong format.
So if you use the DER format, can you read your key file using the following command:
This should be possible without entering a passphrase.
Hello again and thank you for your reply.
I cannot replicate my error from last time, but I still can’t get it to work. I export my private key with KeyStore Explorer from my JKS file to both PEM and binary format. I can indeed read the binary key like you suggested, and it shows the same as the PEM key file. However both of them gives me “error(null)” when trying to import them in Burp tool.
Does this private key match the public key from the certificate in the SAML Raider Certificate tabs? You can only import the private key if this is the key that belongs to the certificate that you have selected.
Thank you again. We use several different certificates and keys, so I must have messed them up.
I have another question. Can your tool – or another you know of – also resign SAMLrequests? Fx take the following
I know you can decode and reencode the request as this blog post says, but can you also recalculate the signature with a private key?
OK, glad to see that it worked now ;-)
No, I think it’s not possible at the moment to sign such SAML Requests. I’m also not aware of any tool that can do it quickly. Let me know if you found one!
Really enjoyed your article as its highly informative