Release 1.1.1

New Features

• New Profile: Web Services Security: SAML Token Profile
  • Now it's possible to manipulate SAML Assertions, which are transmitted in a WS-Security SAML Token Profile.

New Bug

• HTTP Content-Type: multipart/form-data
  • There is a bug in the Burp API when using our extension with the HTTP Content-Type: multipart/form-data. The edited parameter gets inserted to the message but the old original parameter is not being removed. Therefore two parameters with the same name are in the forwarded message.
    We reported the bug to PortSwigger (https://support.portswigger.net/customer/portal/questions/14348527-parameter-of-http-post-with-content-type-multipart-form-data-could-not-be-updated). We will close the Issue #5 when the Burp API is fixed.

Security Fix

• Fixed XXE (CWE-611)
  • If someone had installed the extension and intercepted, viewed in HTTP History or used in the Repeater a XML message with XXE in it, the entities were resolved. Every XML message got first parsed to determine if it is a SAMLMessage and if the SAML Raider tab had to be displayed. This issue is now fixed by disabling loading external dtd and disabling external entities.