Skip to content

CompassSecurity/SAMLRaider

Repository files navigation

SAML Raider - SAML2 Burp Extension

Description

SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates.

This software was originally created by Roland Bischofberger and Emanuel Duss (@emanuelduss) during a bachelor thesis at the Hochschule für Technik Rapperswil (HSR).

Features

The extension is divided in two parts. A SAML message editor and a certificate management tool.

Message Editor

Features of the SAML Raider message editor:

  • Sign SAML messages & assertions (signature spoofing attack)
  • Remove signatures (signature exclusion attack)
  • Edit SAML messages (SAMLRequest, SAMLResponse & custom parameter names)
  • Perform eight common XSW attacks
  • Insert XXE and XSLT attack payloads
  • Supported Profiles: SAML Webbrowser Single Sign-on Profile, Web Services Security SAML Token Profile
  • Supported Bindings: POST Binding, Redirect Binding, SOAP Binding, URI Binding

SAML Attacks:

SAML Attacks

SAML Message Info:

SAML Message Info

Certificate Management

Features of the SAML Raider Certificate Management:

  • Import X.509 certificates (PEM and DER format)
  • Import X.509 certificate chains
  • Export X.509 certificates (PEM format)
  • Delete imported X.509 certificates
  • Display informations of X.509 certificates
  • Import private keys (PKCD#8 in DER format and traditional RSA in PEM Format)
  • Export private keys (traditional RSA Key PEM Format)
  • Cloning X.509 certificates
  • Cloning X.509 certificate chains
  • Create new X.509 certificates
  • Editing and self-sign existing X.509 certificates

Certificate Management:

Certificate Management

Demo

SAML Signature Spoofing Demo:

SAML Signature Spoofing Demo

FusionAuth XXE Demo (CVE-2021-27736):

FusionAuth XXE Demo

Installation

Installation from BApp Store

The recommended and easiest way to install SAML Raider is using the BApp Store. Open Burp and click in the Extensions tab on the BApp Store tab. Select SAML Raider and hit the Install button to install our extension.

Don't forget to rate our extension with as many stars you like 😄.

Manual Installation

First, download the latest SAML Raider version: saml-raider-2.0.4.jar. Then, start Burp Suite and click in the Extensions tab on Add. Choose the SAML Raider JAR file to install it and you are ready to go.

Usage Hints

To test SAML environments more comfortable, you could add a intercept rule in the proxy settings. Add a new rule which checks if a Parameter Name SAMLResponse is in the request. We hope the usage of our extension is mostly self explaining 😄. If you have questions, don't hesitate to ask us!

If you have a custom parameter name for a SAML message, this can be configured in the SAML Raider Certificates tab.

If you don't want to let SAML Raider parse your SAML message before sending to the server (e.g. when performing XXE attacks), use the raw mode.

Development

See hacking.

Feedback, Bugs and Feature Requests

Feedback is welcome! Please contact us or create a new issue on GitHub.

License

See the LICENSE file (MIT License) for license rights and limitations.

References

SAML Raider is on the Internet :).

Bachelor Thesis

General

SAML Hacking Tutorials

Discovered Vulnerabilities using SAML Raider

Other

Authors

  • Roland Bischofberger (GitHub: RouLee)
  • Emanuel Duss (GitHub: emanuelduss)
  • Tobias Hort-Giess (GitHub: t-hg)