Release v1.2.5

I forgot to include the updates from the PortSwigger repository. This fixed that the extension works with OpenJDK 11

Release v1.2.4

This is a bugfix release.

This release fixes the following issues:

• XMLHelpers: fix signElement used by signMessage in cases where the XML doc is beautified. PR #41
• Bumps xmlsec from 2.1.2 to 2.1.4. PR #43

Thanks @cnotin for your PR!

Release v1.2.3

This is a bugfix release.

This release fixes the following issues:

• #35 (SAML messages were not editable in newer Java versions)
• #14 (Unnecessary console output)

Note:

• Because the RSyntaxTextArea was replaced with a normal Java Swing JTextArea, no syntax highlighting or text search is available anymore.

Enjoy your SAML testing 🤘

Release 1.2.2

@pajswigger from PortSwigger fixed a Java version incompatibility issue with OpenJDK 11, that is shipped in the bundled Burp version.

The plugin now works in Java 11.

This fixes the following issues:

• #29
• #34

Thanks @PortSwigger and @pajswigger!

Release 1.2.1

We got a pull-request (#13) with the following changes:

• Bugfix: The XSW diagram had some incorrect graphics. They are now fixed
• Fixed/improved some unit-tests.

A big thank to @thariyarox!

Release 1.2.0

• New feature: Support for SAMLRequest messages (Issue #11)

Release 1.1.1

New Features

• New Profile: Web Services Security: SAML Token Profile
  • Now it's possible to manipulate SAML Assertions, which are transmitted in a WS-Security SAML Token Profile.

New Bug

• HTTP Content-Type: multipart/form-data
  • There is a bug in the Burp API when using our extension with the HTTP Content-Type: multipart/form-data. The edited parameter gets inserted to the message but the old original parameter is not being removed. Therefore two parameters with the same name are in the forwarded message.
    We reported the bug to PortSwigger (https://support.portswigger.net/customer/portal/questions/14348527-parameter-of-http-post-with-content-type-multipart-form-data-could-not-be-updated). We will close the Issue #5 when the Burp API is fixed.

Security Fix

• Fixed XXE (CWE-611)
  • If someone had installed the extension and intercepted, viewed in HTTP History or used in the Repeater a XML message with XXE in it, the entities were resolved. Every XML message got first parsed to determine if it is a SAMLMessage and if the SAML Raider tab had to be displayed. This issue is now fixed by disabling loading external dtd and disabling external entities.

Release 1.0.1 - Bugfixes

Two bugfixes for Issue #1

• Linebreaks are now not removed from an edited message
• Namespace definition in tags e.g. xmlns:saml="..." are retained in every situation

Release 1.0.0

This is our first release.