From 5ba91a06d29daa3a651d58f3e9e20ca2b87581dc Mon Sep 17 00:00:00 2001 From: Tobias Hort Date: Thu, 31 Oct 2024 20:57:48 +0100 Subject: [PATCH 1/4] increase patch version --- BappManifest.bmf | 4 ++-- README.md | 2 +- build.gradle | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/BappManifest.bmf b/BappManifest.bmf index 25673d4..416c3a9 100644 --- a/BappManifest.bmf +++ b/BappManifest.bmf @@ -2,12 +2,12 @@ Uuid: c61cfa893bb14db4b01775554f7b802e ExtensionType: 1 Name: SAML Raider RepoName: saml-raider -ScreenVersion: 2.0.3 +ScreenVersion: 2.0.4 SerialVersion: 17 MinPlatformVersion: 0 ProOnly: False Author: Roland Bischofberger / Emanuel Duss / Tobias Hort-Giess ShortDescription: Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures. -EntryPoint: build/libs/saml-raider-2.0.3.jar +EntryPoint: build/libs/saml-raider-2.0.4.jar BuildCommand: ./gradlew jar SupportedProducts: Pro, Community diff --git a/README.md b/README.md index bc31174..d454e46 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Don't forget to rate our extension with as many stars you like :smile:. ### Manual Installation First, download the latest SAML Raider version: -[saml-raider-2.0.3.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.0.3/saml-raider-2.0.3.jar). +[saml-raider-2.0.4.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.0.4/saml-raider-2.0.4.jar). Then, start Burp Suite and click in the `Extensions` tab on `Add`. Choose the SAML Raider JAR file to install it and you are ready to go. diff --git a/build.gradle b/build.gradle index 8abdfa5..492fe96 100644 --- a/build.gradle +++ b/build.gradle @@ -2,7 +2,7 @@ plugins { id "java-library" } -version = "2.0.3" +version = "2.0.4" repositories { mavenCentral() From 92cd7d8e002949622a173d16c08d25f1ca124018 Mon Sep 17 00:00:00 2001 From: Tobias Hort Date: Thu, 31 Oct 2024 20:58:11 +0100 Subject: [PATCH 2/4] add test case --- src/main/java/livetesting/Issue80Test.java | 51 ++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 src/main/java/livetesting/Issue80Test.java diff --git a/src/main/java/livetesting/Issue80Test.java b/src/main/java/livetesting/Issue80Test.java new file mode 100644 index 0000000..3f7b29e --- /dev/null +++ b/src/main/java/livetesting/Issue80Test.java @@ -0,0 +1,51 @@ +package livetesting; + +import application.SamlMessageAnalyzer; +import application.SamlMessageDecoder; +import burp.api.montoya.http.message.params.HttpParameterType; +import burp.api.montoya.http.message.requests.HttpRequest; + +public class Issue80Test { + + private final String rawRequest = """ + GET /sso/saml/authenticate?SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iX2Y5ZTY4YmYzN2NjNjU5M2FjMTQ3MmU4YmZkMjljYTcwNGU4ODJmNzViZCIgVmVyc2lvbj0iMi4wIiBQcm92aWRlck5hbWU9IkNob2NvIFNob3AiIElzc3VlSW5zdGFudD0iMjAyNC0xMC0zMVQwODo1OTo1OVoiIERlc3RpbmF0aW9uPSJodHRwczovL2U2YmZhNzEzLTUwOWMtNGIyMC1iODhmLTk1NmMxZDBiMTcwMy5pLnZ1bG4ubGFuZC9zc28vc2FtbCIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vZTZiZmE3MTMtNTA5Yy00YjIwLWI4OGYtOTU2YzFkMGIxNzAzLmkudnVsbi5sYW5kL2FwaS9hY3MiPjxzYW1sOklzc3Vlcj5odHRwczovL2U2YmZhNzEzLTUwOWMtNGIyMC1iODhmLTk1NmMxZDBiMTcwMy5pLnZ1bG4ubGFuZDwvc2FtbDpJc3N1ZXI%2BPHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyIgQWxsb3dDcmVhdGU9InRydWUiLz48c2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0IENvbXBhcmlzb249ImV4YWN0Ij48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWxwOlJlcXVlc3RlZEF1dGhuQ29udGV4dD48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D HTTP/2 + Host: e6bfa713-509c-4b20-b88f-956c1d0b1703.i.vuln.land + Connection: keep-alive"""; + + @TestOrder.Order(1) + public TestResult isSAMLMessage() { + try { + var request = HttpRequest.httpRequest(rawRequest); + var analysis = SamlMessageAnalyzer.analyze(request, "SAMLRequest", "SAMLResponse"); + var success = analysis.isSAMLMessage(); + return new TestResult(success, null, null); + } catch (Exception exc) { + return new TestResult(false, null, exc); + } + } + + @TestOrder.Order(2) + public TestResult isSAMLRequest() { + try { + var request = HttpRequest.httpRequest(rawRequest); + var analysis = SamlMessageAnalyzer.analyze(request, "SAMLRequest", "SAMLResponse"); + var success = analysis.isSAMLMessage() && analysis.isSAMLRequest(); + return new TestResult(success, null, null); + } catch (Exception exc) { + return new TestResult(false, null, exc); + } + } + + @TestOrder.Order(3) + public TestResult canDecodeSAMLMessage() throws Exception { + try { + var request = HttpRequest.httpRequest(rawRequest); + var analysis = SamlMessageAnalyzer.analyze(request, "SAMLRequest", "SAMLResponse"); + var body = request.parameterValue("SAMLRequest", HttpParameterType.URL); + var decodedSamlMessage = SamlMessageDecoder.getDecodedSAMLMessage(body, analysis.isWSSMessage(), analysis.isWSSUrlEncoded()); + return new TestResult(true, decodedSamlMessage.message(), null); + } catch (Exception exc) { + return new TestResult(false, null, exc); + } + } +} From 3f532ee160448545f01c05d5fb2220271bd223e6 Mon Sep 17 00:00:00 2001 From: Tobias Hort Date: Thu, 31 Oct 2024 20:59:37 +0100 Subject: [PATCH 3/4] fix SAMLRequest as get param not recognized --- .../java/application/SamlMessageAnalyzer.java | 30 ++++++++++------- .../java/application/SamlTabController.java | 33 ++++++++++--------- 2 files changed, 36 insertions(+), 27 deletions(-) diff --git a/src/main/java/application/SamlMessageAnalyzer.java b/src/main/java/application/SamlMessageAnalyzer.java index 31c8efa..add9cdb 100644 --- a/src/main/java/application/SamlMessageAnalyzer.java +++ b/src/main/java/application/SamlMessageAnalyzer.java @@ -17,7 +17,8 @@ public record SamlMessageAnalysisResult( boolean isWSSMessage, boolean isSAMLRequest, boolean isInflated, - boolean isGZip) { + boolean isGZip, + boolean isURLParam) { } public static SamlMessageAnalysisResult analyze( @@ -32,6 +33,7 @@ public static SamlMessageAnalysisResult analyze( var isSAMLRequest = false; var isInflated = false; var isGZip = false; + var isURLParam = false; var xmlHelpers = new XMLHelpers(); if (request.contentType() == ContentType.XML) { @@ -59,16 +61,19 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) { BurpExtender.api.logging().logToError(e); } } else { - String requestParameter; - requestParameter = request.parameterValue(samlResponseParameterName, HttpParameterType.BODY); - if (requestParameter != null) { - isSAMLMessage = true; - } - requestParameter = request.parameterValue(samlRequestParameterName, HttpParameterType.BODY); - if (requestParameter != null) { - isSAMLRequest = true; - isSAMLMessage = true; - } + var samlResponseInBody = request.parameterValue(samlResponseParameterName, HttpParameterType.BODY); + var samlResponseInUrl = request.parameterValue(samlResponseParameterName, HttpParameterType.URL); + var samlRequestInBody = request.parameterValue(samlRequestParameterName, HttpParameterType.BODY); + var samlRequestInUrl = request.parameterValue(samlRequestParameterName, HttpParameterType.URL); + + isSAMLMessage = + samlResponseInBody != null + || samlResponseInUrl != null + || samlRequestInBody != null + || samlRequestInUrl != null; + + isSAMLRequest = samlRequestInBody != null || samlRequestInUrl != null; + isURLParam = samlResponseInUrl != null || samlRequestInUrl != null; } return new SamlMessageAnalysisResult( @@ -78,7 +83,8 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) { isWSSMessage, isSAMLRequest, isInflated, - isGZip); + isGZip, + isURLParam); } private SamlMessageAnalyzer() { diff --git a/src/main/java/application/SamlTabController.java b/src/main/java/application/SamlTabController.java index 15b858a..e300253 100644 --- a/src/main/java/application/SamlTabController.java +++ b/src/main/java/application/SamlTabController.java @@ -16,14 +16,9 @@ import gui.XSWHelpWindow; import helpers.XMLHelpers; import helpers.XSWHelpers; -import model.BurpCertificate; -import org.w3c.dom.*; -import org.xml.sax.SAXException; - -import javax.xml.crypto.MarshalException; -import javax.xml.crypto.dsig.XMLSignatureException; -import javax.xml.parsers.ParserConfigurationException; -import java.awt.*; +import java.awt.Component; +import java.awt.Desktop; +import java.awt.Toolkit; import java.awt.datatransfer.Clipboard; import java.awt.datatransfer.StringSelection; import java.io.File; @@ -41,6 +36,12 @@ import java.util.List; import java.util.Observable; import java.util.Observer; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.dsig.XMLSignatureException; +import javax.xml.parsers.ParserConfigurationException; +import model.BurpCertificate; +import org.w3c.dom.*; +import org.xml.sax.SAXException; import static java.util.Objects.requireNonNull; @@ -233,22 +234,24 @@ public void setRequestResponse(HttpRequestResponse requestResponse) { this.samlMessageAnalysisResult.isWSSUrlEncoded()); this.samlMessage = decodedSAMLMessage.message(); } else { - String parameterValue; + var httpParamType = + this.samlMessageAnalysisResult.isURLParam() + ? HttpParameterType.URL + : HttpParameterType.BODY; - if (this.samlMessageAnalysisResult.isSAMLRequest()) { - parameterValue = requestResponse.request().parameterValue(certificateTabController.getSamlRequestParameterName(), HttpParameterType.BODY); - } else { - parameterValue = requestResponse.request().parameterValue(certificateTabController.getSamlResponseParameterName(), HttpParameterType.BODY); - } + var parameterValue = + this.samlMessageAnalysisResult.isSAMLRequest() + ? requestResponse.request().parameterValue(certificateTabController.getSamlRequestParameterName(), httpParamType) + : requestResponse.request().parameterValue(certificateTabController.getSamlResponseParameterName(), httpParamType); var decodedSAMLMessage = SamlMessageDecoder.getDecodedSAMLMessage( parameterValue, this.samlMessageAnalysisResult.isWSSMessage(), this.samlMessageAnalysisResult.isWSSUrlEncoded()); + this.samlMessage = decodedSAMLMessage.message(); } - } catch (IOException e) { BurpExtender.api.logging().logToError(e); setInfoMessageText(XML_COULD_NOT_SERIALIZE); From 141cec5220105efa2da018c79a4df4280ec86bc8 Mon Sep 17 00:00:00 2001 From: Tobias Hort Date: Thu, 31 Oct 2024 21:05:41 +0100 Subject: [PATCH 4/4] ignore .DS_Store --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 74dc623..6856c9b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.DS_Store .gradle .idea build