Compass Security Blog

Offensive Defense

SAMLRequest Support for SAML Raider

About a year ago, the Burp extension SAML Raider [0] was released as a result of a bachelor thesis [1] in collaboration with Compass Security. This Burp extension automates most of the steps, which are necessary to test a SAML single sign-on process and perform according attacks. With SAML Raider, an authentication bypass vulnerability in a Service Provider was found [2]. More information is available in our first blog post about SAML Raider here: SAML Burp Extension [5].

We did some bugfixing and added new features to SAML Raider in the past year. In version 1.2.0, we introduced the new ability to intercept and edit SAMLRequest Messages. The current version is 1.2.1, which is available here [3] on GitHub. It will also be in the official Burp Suite BApp store [4] shortly.

Decode SAMLRequest Message

There are several Burp Extensions [6] like SAML ReQuest [7], SAML Editor or SAML Encoder which allows you to edit SAMLRequests. We also got asked [8] if this feature is supported in SAML Raider, which was not the case. Because this would be a nice feature, we implemented it in version 1.2.0.

What is a SAMLRequest?

A SAMLRequest is the SAML message, which is sent from the user (browser) to the Identity Provider, to “ask” for an assertion. Usually, the SAMLRequest is sent to the Identity Provider, which will respond with a login form to ask for the credentials. If the login was successful, the SAMLResponse is sent back to the client, which is then forwarded to the Service Provider.

A SAMLRequest is sent via POST to the Identity Provider and looks like this:

samlrequest

So, it’s quite clear, that this is not so practical for quick editing and testing.

SAMLRequest in SAML Raider

SAML Raider is now able to properly decode a SAMLRequest and display it in the SAML Raider tab:

samlrequest_samlraider

Now it is very easy to modify the SAMLRequest. The SAMLRequest is automatically encoded back in it’s original format and forwarded to the target, if the Forward button is clicked.

But why do you need to view/edit the SAMLRequest? With this new feature, you can read what the client is sending exactly to the Identity Provider and perform fuzzing or testing the Identity Provider itself.

So, if you have any questions, issues or features requests, don’t hesitate to contact us or open an Issue on GitHub [0].

References

19 Comments

  1. Anuja

    Hi,

    I would like to know how the edited SAML response is resigned with IdP’s private key. I have imported the Private Key but not able to view the imported Private Key in XML Signature (Message editor).

    • Emanuel Duss

      You have to import the certificate as well. The private key alone is not sufficient to sign the assertion.

      1) Did you also import the certificate?
      2) Did you import the private key when you have selected the certificate?
      3) Is the “Private Key” checkbox enabled in the Certificate tab?
      4) Can you send a screenshot of the imported certificate and the Private Key checkbox and from the certificate drop down in the SAML message editor?

  2. Anuja

    Hi Emanuel Duss,

    Thanks for your quick response.

    Since it is an evaluation copy, Private Key check box is disabled in Burp Suite. Is there a way you can help us to enable this in evaluation copy . In case if it is not possible in evaluation version can you please share any email ID to reach out for professional help for tool based on that we will procure this tool.

    • Emanuel Duss

      Hi

      There is no difference in SAML Raider if you have the Burp Suite professional or the free version.

      Please provide a screenshot of the Certificate tab where you have imported the certificate AND the private key.

      • Anuja

        Hi Emanuel Duss ,

        Thanks for your Quick response. Now I am able to see the Imported certificate in Message editor. I have tried importing the certificate after accessing the url, hence I was not able to see the imported certificate.

        I have another Query. While importing PROD Private key I am getting “Error importing private key.(malformed sequence in RSA private key)”. I have copied the Private key separately in a .pem file and tried to import it. Can you please help on this.

        • Emanuel Duss

          Hi Anuja

          The private key has to be either in the in DER format or traditional RSA in PEM format.

          Can you convert it to the PEM format using openssl (see examples in the manpage https://www.mkssoftware.com/docs/man1/openssl_rsa.1.asp).

          Best regards,
          Emanuel

  3. Anuja

    Hi Emanuel Duss ,

    It worked… Thank you so much…

    One more doubt.
    Can we use SAML raider for testing Azure AD on boarded applications.?

    • Emanuel Duss

      Hi Anuja

      Cool. I’m glad it worked in the end.

      If the application uses SAML, you can use SAMLRaider for that, independent on the underlying software, because SAML is an open standard.

      Happy Hacking ;-)

      Emanuel

      • Anuja

        Hi Emanuel Duss,

        Do we have any option to view the logs in SAML Raider?

        Regards,
        Anuja

  4. Emanuel Duss

    Hi Anuja

    What logs do you mean? The plugin output and errors are shown in the dialog when you load the extension.

    Best regards,
    Emanuel

    • Anuja

      Hi Emanuel Duss,

      I would like to get the error logs. For example, for the first test case I have tried applying XSW1 attack and for the next time I may apply XSW2 attack. Is there any chance to see these logs ?? So that i can attach these logs in test case document instead of taking screen shots of error pages.

      Regards,
      Anuja

      • Emanuel Duss

        Hi Anuja

        No, the results are not logged. You have to save it for yourself.

        Best regards,
        Emanuel

  5. Sune

    Hi.

    Thank you for making this tool. Unfortunately I cannot quite get it to work. I want to intercept SAML messages, edit them, and resign them. I did as you suggested in the other comments (import certificiate, import private key in DER format) but “private key” is still greyed out (see https://ibb.co/HTq4rfh). What am I doing wrong?

    PS: I start with a .jks file and get certificate and private key from that.

    • Emanuel Duss

      Hi Sune

      Your’re welcome :)

      I assume the private key is in the wrong format.

      So if you use the DER format, can you read your key file using the following command:

      # openssl rsa -inform der -in key.test
      writing RSA key
      -----BEGIN RSA PRIVATE KEY-----
      MIIBPAIBAAJBAKuwRVKZBqd/i0JpUGMdnqsw1fsXhvJMf7EBVdfEuSYcxniCTQO9
      sEnrpBD6I7alMl9idAnIjwYe3qnJUNs6QLMCAwEAAQJAIIrKuPs0Xa85MB9SE1db
      6crZ5DvzYh3J3j0IjltFVMmz8h6BjP43++QucRE+2UKQXuZMeVR7D2Y9AgW92/sE
      kQIhANpj1ggcraLCFPzg0X6uhIldOJbesGhOyNrkj6iAttC3AiEAyUGCB0CCPt2G
      j6soRoKjHsbrrhsfpQyg+vxbvycD2+UCIQCrYYmHGCpS/YfG4w7EIWQ1AAj2rI83
      bAxHavIpw8izhQIhAJgq/7WcAN6ngGaAcyNdAxjyLqClwXd55P3gcT5GsZRBAiEA
      jcpo7KCOxpXbbo1Z69ak/t8nnS3xyrKw1YyE9y7L06s=
      -----END RSA PRIVATE KEY-----
      

      This should be possible without entering a passphrase.

      Best,
      Emanuel

      • Sune

        Hello again and thank you for your reply.

        I cannot replicate my error from last time, but I still can’t get it to work. I export my private key with KeyStore Explorer from my JKS file to both PEM and binary format. I can indeed read the binary key like you suggested, and it shows the same as the PEM key file. However both of them gives me “error(null)” when trying to import them in Burp tool.

        • Emanuel Duss

          Hello :)

          Does this private key match the public key from the certificate in the SAML Raider Certificate tabs? You can only import the private key if this is the key that belongs to the certificate that you have selected.

          Best regards,
          Emanuel

          • Sune

            Thank you again. We use several different certificates and keys, so I must have messed them up.

            I have another question. Can your tool – or another you know of – also resign SAMLrequests? Fx take the following
            SAMLRequest=nVNda…&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=PwQe…
            I know you can decode and reencode the request as this blog post says, but can you also recalculate the signature with a private key?

        • Emanuel Duss

          Hi Sune

          OK, glad to see that it worked now ;-)

          No, I think it’s not possible at the moment to sign such SAML Requests. I’m also not aware of any tool that can do it quickly. Let me know if you found one!

          Regards,
          Emanuel

  6. appsian

    Really enjoyed your article as its highly informative

Leave a Reply to Emanuel Duss Cancel reply

Your email address will not be published. Required fields are marked *