Merge pull request #81 from CompassSecurity/thort/issue80

Thort/issue80
CompassSecurity · Nov 1, 2024 · 6b1db62 · 6b1db62
2 parents 3917ccb + 141cec5
commit 6b1db62
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 31 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+.DS_Store
 .gradle
 .idea
 build

diff --git a/BappManifest.bmf b/BappManifest.bmf
@@ -2,12 +2,12 @@ Uuid: c61cfa893bb14db4b01775554f7b802e
 ExtensionType: 1
 Name: SAML Raider
 RepoName: saml-raider
-ScreenVersion: 2.0.3
+ScreenVersion: 2.0.4
 SerialVersion: 17
 MinPlatformVersion: 0
 ProOnly: False
 Author: Roland Bischofberger / Emanuel Duss / Tobias Hort-Giess
 ShortDescription: Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.
-EntryPoint: build/libs/saml-raider-2.0.3.jar
+EntryPoint: build/libs/saml-raider-2.0.4.jar
 BuildCommand: ./gradlew jar
 SupportedProducts: Pro, Community
diff --git a/README.md b/README.md
@@ -79,7 +79,7 @@ Don't forget to rate our extension with as many stars you like :smile:.
 ### Manual Installation
 
 First, download the latest SAML Raider version:
-[saml-raider-2.0.3.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.0.3/saml-raider-2.0.3.jar).
+[saml-raider-2.0.4.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.0.4/saml-raider-2.0.4.jar).
 Then, start Burp Suite and click in the `Extensions` tab on `Add`. Choose the
 SAML Raider JAR file to install it and you are ready to go.
 

diff --git a/build.gradle b/build.gradle
@@ -2,7 +2,7 @@ plugins {
 	id "java-library"
 }
 
-version = "2.0.3"
+version = "2.0.4"
 
 repositories {
 	mavenCentral()

diff --git a/src/main/java/application/SamlMessageAnalyzer.java b/src/main/java/application/SamlMessageAnalyzer.java
@@ -17,7 +17,8 @@ public record SamlMessageAnalysisResult(
             boolean isWSSMessage,
             boolean isSAMLRequest,
             boolean isInflated,
-            boolean isGZip) {
+            boolean isGZip,
+            boolean isURLParam) {
     }
 
     public static SamlMessageAnalysisResult analyze(
@@ -32,6 +33,7 @@ public static SamlMessageAnalysisResult analyze(
         var isSAMLRequest = false;
         var isInflated = false;
         var isGZip = false;
+        var isURLParam = false;
 
         var xmlHelpers = new XMLHelpers();
         if (request.contentType() == ContentType.XML) {
@@ -59,16 +61,19 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) {
                 BurpExtender.api.logging().logToError(e);
             }
         } else {
-            String requestParameter;
-            requestParameter = request.parameterValue(samlResponseParameterName, HttpParameterType.BODY);
-            if (requestParameter != null) {
-                isSAMLMessage = true;
-            }
-            requestParameter = request.parameterValue(samlRequestParameterName, HttpParameterType.BODY);
-            if (requestParameter != null) {
-                isSAMLRequest = true;
-                isSAMLMessage = true;
-            }
+            var samlResponseInBody = request.parameterValue(samlResponseParameterName, HttpParameterType.BODY);
+            var samlResponseInUrl = request.parameterValue(samlResponseParameterName, HttpParameterType.URL);
+            var samlRequestInBody = request.parameterValue(samlRequestParameterName, HttpParameterType.BODY);
+            var samlRequestInUrl = request.parameterValue(samlRequestParameterName, HttpParameterType.URL);
+
+            isSAMLMessage =
+                    samlResponseInBody != null
+                            || samlResponseInUrl != null
+                            || samlRequestInBody != null
+                            || samlRequestInUrl != null;
+
+            isSAMLRequest = samlRequestInBody != null || samlRequestInUrl != null;
+            isURLParam = samlResponseInUrl != null || samlRequestInUrl != null;
         }
 
         return new SamlMessageAnalysisResult(
@@ -78,7 +83,8 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) {
                 isWSSMessage,
                 isSAMLRequest,
                 isInflated,
-                isGZip);
+                isGZip,
+                isURLParam);
     }
 
     private SamlMessageAnalyzer() {

diff --git a/src/main/java/application/SamlTabController.java b/src/main/java/application/SamlTabController.java
@@ -16,14 +16,9 @@
 import gui.XSWHelpWindow;
 import helpers.XMLHelpers;
 import helpers.XSWHelpers;
-import model.BurpCertificate;
-import org.w3c.dom.*;
-import org.xml.sax.SAXException;
-
-import javax.xml.crypto.MarshalException;
-import javax.xml.crypto.dsig.XMLSignatureException;
-import javax.xml.parsers.ParserConfigurationException;
-import java.awt.*;
+import java.awt.Component;
+import java.awt.Desktop;
+import java.awt.Toolkit;
 import java.awt.datatransfer.Clipboard;
 import java.awt.datatransfer.StringSelection;
 import java.io.File;
@@ -41,6 +36,12 @@
 import java.util.List;
 import java.util.Observable;
 import java.util.Observer;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.parsers.ParserConfigurationException;
+import model.BurpCertificate;
+import org.w3c.dom.*;
+import org.xml.sax.SAXException;
 
 import static java.util.Objects.requireNonNull;
 
@@ -233,22 +234,24 @@ public void setRequestResponse(HttpRequestResponse requestResponse) {
                                     this.samlMessageAnalysisResult.isWSSUrlEncoded());
                     this.samlMessage = decodedSAMLMessage.message();
                 } else {
-                    String parameterValue;
+                    var httpParamType =
+                            this.samlMessageAnalysisResult.isURLParam()
+                                    ? HttpParameterType.URL
+                                    : HttpParameterType.BODY;
 
-                    if (this.samlMessageAnalysisResult.isSAMLRequest()) {
-                        parameterValue = requestResponse.request().parameterValue(certificateTabController.getSamlRequestParameterName(), HttpParameterType.BODY);
-                    } else {
-                        parameterValue = requestResponse.request().parameterValue(certificateTabController.getSamlResponseParameterName(), HttpParameterType.BODY);
-                    }
+                    var parameterValue =
+                            this.samlMessageAnalysisResult.isSAMLRequest()
+                                    ? requestResponse.request().parameterValue(certificateTabController.getSamlRequestParameterName(), httpParamType)
+                                    : requestResponse.request().parameterValue(certificateTabController.getSamlResponseParameterName(), httpParamType);
 
                     var decodedSAMLMessage =
                             SamlMessageDecoder.getDecodedSAMLMessage(
                                     parameterValue,
                                     this.samlMessageAnalysisResult.isWSSMessage(),
                                     this.samlMessageAnalysisResult.isWSSUrlEncoded());
+
                     this.samlMessage = decodedSAMLMessage.message();
                 }
-
             } catch (IOException e) {
                 BurpExtender.api.logging().logToError(e);
                 setInfoMessageText(XML_COULD_NOT_SERIALIZE);

diff --git a/src/main/java/livetesting/Issue80Test.java b/src/main/java/livetesting/Issue80Test.java
@@ -0,0 +1,51 @@
+package livetesting;
+
+import application.SamlMessageAnalyzer;
+import application.SamlMessageDecoder;
+import burp.api.montoya.http.message.params.HttpParameterType;
+import burp.api.montoya.http.message.requests.HttpRequest;
+
+public class Issue80Test {
+
+    private final String rawRequest = """
+            GET /sso/saml/authenticate?SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iX2Y5ZTY4YmYzN2NjNjU5M2FjMTQ3MmU4YmZkMjljYTcwNGU4ODJmNzViZCIgVmVyc2lvbj0iMi4wIiBQcm92aWRlck5hbWU9IkNob2NvIFNob3AiIElzc3VlSW5zdGFudD0iMjAyNC0xMC0zMVQwODo1OTo1OVoiIERlc3RpbmF0aW9uPSJodHRwczovL2U2YmZhNzEzLTUwOWMtNGIyMC1iODhmLTk1NmMxZDBiMTcwMy5pLnZ1bG4ubGFuZC9zc28vc2FtbCIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vZTZiZmE3MTMtNTA5Yy00YjIwLWI4OGYtOTU2YzFkMGIxNzAzLmkudnVsbi5sYW5kL2FwaS9hY3MiPjxzYW1sOklzc3Vlcj5odHRwczovL2U2YmZhNzEzLTUwOWMtNGIyMC1iODhmLTk1NmMxZDBiMTcwMy5pLnZ1bG4ubGFuZDwvc2FtbDpJc3N1ZXI%2BPHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyIgQWxsb3dDcmVhdGU9InRydWUiLz48c2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0IENvbXBhcmlzb249ImV4YWN0Ij48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWxwOlJlcXVlc3RlZEF1dGhuQ29udGV4dD48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D HTTP/2
+            Host: e6bfa713-509c-4b20-b88f-956c1d0b1703.i.vuln.land
+            Connection: keep-alive""";
+
+    @TestOrder.Order(1)
+    public TestResult isSAMLMessage() {
+        try {
+            var request = HttpRequest.httpRequest(rawRequest);
+            var analysis = SamlMessageAnalyzer.analyze(request, "SAMLRequest", "SAMLResponse");
+            var success = analysis.isSAMLMessage();
+            return new TestResult(success, null, null);
+        } catch (Exception exc) {
+            return new TestResult(false, null, exc);
+        }
+    }
+
+    @TestOrder.Order(2)
+    public TestResult isSAMLRequest() {
+        try {
+            var request = HttpRequest.httpRequest(rawRequest);
+            var analysis = SamlMessageAnalyzer.analyze(request, "SAMLRequest", "SAMLResponse");
+            var success = analysis.isSAMLMessage() && analysis.isSAMLRequest();
+            return new TestResult(success, null, null);
+        } catch (Exception exc) {
+            return new TestResult(false, null, exc);
+        }
+    }
+
+    @TestOrder.Order(3)
+    public TestResult canDecodeSAMLMessage() throws Exception {
+        try {
+            var request = HttpRequest.httpRequest(rawRequest);
+            var analysis = SamlMessageAnalyzer.analyze(request, "SAMLRequest", "SAMLResponse");
+            var body = request.parameterValue("SAMLRequest", HttpParameterType.URL);
+            var decodedSamlMessage = SamlMessageDecoder.getDecodedSAMLMessage(body, analysis.isWSSMessage(), analysis.isWSSUrlEncoded());
+            return new TestResult(true, decodedSamlMessage.message(), null);
+        } catch (Exception exc) {
+            return new TestResult(false, null, exc);
+        }
+    }
+}