Improvements to the SAML-Attacker tool

03.07.2019 - Marcus Brinkmann

We added two new features to our SAML-Attacker of our Burp Suite extension EsPReSSO <https://github.com/RUB-NDS/BurpSSOExtension> to probe for XML encryption weaknesses and signature wrapping vulnerabilities.

The new XML Encryption attacker included in EsPReSSO can help security auditors to quickly assess if a SAML endpoint is vulnerable to known attacks against XML Encryption. To this end, the decryptor's public key is used in order to send suitable test vectors that can be provided in plaintext.

XML Signature Wrapping (XSW) against SAML is an attack where manipulated SAML message is submitted in an attempt to make the endpoint validate the signed parts of the message, while processing a different attacker-generated part of the message as a way to extract the authentication statements. Because the attacker can arbitrarily forge SAML assertions which are accepted as valid by the vulnerable endpoint, the impact can be severe.

We have two new blog posts on XML Encryption <https://web-in-security.blogspot.com/2019/06/probing-for-xml-encryption-weaknesses_15.html> and XML Signature Wrapping <https://web-in-security.blogspot.com/2019/07/testing-saml-endpoints-for-xml.html> testing with EsPReSSO.