{"id":7226,"date":"2016-06-06T17:00:54","date_gmt":"2016-06-06T15:00:54","guid":{"rendered":"https:\/\/www.insinuator.net\/?p=7226"},"modified":"2016-10-12T09:14:41","modified_gmt":"2016-10-12T07:14:41","slug":"samlrequest-burpsuite-extention","status":"publish","type":"post","link":"https:\/\/insinuator.net\/2016\/06\/samlrequest-burpsuite-extention\/","title":{"rendered":"SAMLReQuest Burpsuite Extention"},"content":{"rendered":"<p class=\"western\">Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between a Service Provider (SP) and an\u00a0 Identification Provider (IdP). SAML is used in many Single Sign-On (SSO) implementations, when a user is authenticated once by IdP to access multiple related SPs. When a user requests to access a SP, it creates a SAML Authentication Request and redirects the user to IdP to be authenticated according to this authentication request. If the user is successfully authenticated, IdP creates a SAML authentication response and sends it back to SP through the user&#8217;s browser.<\/p>\n<p class=\"western\"><!--more--><\/p>\n<p class=\"western\">SAML authentication request can be added by SP to the redirect request in two ways. The first is HTTP Redirection Binding, when the SAML authentication request is sent in the URL. In this case, the authentication request is deflated (compressed) due to the limited length of URL, then it is Base64 and URL encoded. The second way is HTTP POST Binding, when the authentication request is sent as a POST request parameter. In this case, it is only URL and BASE64 encoded.<\/p>\n<p class=\"western\">SAML Raider is an excellent Burpsuite extension for testing SAML authentication responses, but it does not process SAML requests. Therefore there is no chance to pentest SAML authentication requests using Burp. SAML ReQuest extension adds this feature to Burp. So instead of copying SAML authentication requests from Burp, decoding,<br \/>\ndecompressing, modifying then compressing and encoding the request back using external tools, this extension does all these transformations automatically on Burp. This enables pentesters to test IdP against manipulated or malformed requests\u00a0 faster, more conveniently and without any conflict with SAML Raider.<\/p>\n<p class=\"western\">SAML ReQuest Burpsuite checks the existence of \u201cSAMLRequest\u201d parameter in every request. If it exists, it does the following:<\/p>\n<ol>\n<li>\n<p class=\"western\">Checks HTTP request method<\/p>\n<\/li>\n<li>\n<p class=\"western\">if method is GET, then authentication request is deflated, therefore it:<\/p>\n<ol>\n<li>\n<p class=\"western\">URL decodes the parameter<\/p>\n<\/li>\n<li>\n<p class=\"western\">base64 decodes the result of point 1<\/p>\n<\/li>\n<li>\n<p class=\"western\">decompresses (inflates) the result of point 2<\/p>\n<\/li>\n<\/ol>\n<\/li>\n<li>\n<p class=\"western\">if it is a POST request, then the authentication\u00a0 request is not deflated.<\/p>\n<ol>\n<li>\n<p class=\"western\">URL decode the parameter<\/p>\n<\/li>\n<li>\n<p class=\"western\">base64 decode the result of point 1<\/p>\n<\/li>\n<\/ol>\n<\/li>\n<li>\n<p class=\"western\">Display the SAML Authentication request in a new &#8220;sub-tab&#8221; in Intercept tab as shown in Figure 1.<\/p>\n<\/li>\n<li>\n<p class=\"western\">If you modify the authentication request in the &#8220;sub-tab&#8221;, the &#8220;SAMLRequest&#8221; parameter in the original request will be updated accordingly.<\/p>\n<\/li>\n<li>\n<p class=\"western\">After sending the request, you can still see the decoded SAML request in Proxy history, as shown in Figure 2.<\/p>\n<\/li>\n<\/ol>\n<figure id=\"attachment_7230\" aria-describedby=\"caption-attachment-7230\" style=\"width: 615px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7230 \" src=\"https:\/\/www.insinuator.net\/wp-content\/uploads\/2016\/06\/SAML_auth_req-300x86.png\" alt=\"Decoded and decompressed SAML Authentication request\" width=\"615\" height=\"176\" srcset=\"https:\/\/insinuator.net\/wp-content\/uploads\/2016\/06\/SAML_auth_req-300x86.png 300w, https:\/\/insinuator.net\/wp-content\/uploads\/2016\/06\/SAML_auth_req-768x221.png 768w, https:\/\/insinuator.net\/wp-content\/uploads\/2016\/06\/SAML_auth_req.png 970w\" sizes=\"auto, (max-width: 615px) 100vw, 615px\" \/><figcaption id=\"caption-attachment-7230\" class=\"wp-caption-text\">Figure 1: Decoded and decompressed SAML Authentication request<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_7228\" aria-describedby=\"caption-attachment-7228\" style=\"width: 604px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-7228\" src=\"https:\/\/www.insinuator.net\/wp-content\/uploads\/2016\/06\/inProxy-300x131.png\" alt=\"Figure 2: Cleartext SAML Authentication request in Proxy history\" width=\"604\" height=\"264\" srcset=\"https:\/\/insinuator.net\/wp-content\/uploads\/2016\/06\/inProxy-300x131.png 300w, https:\/\/insinuator.net\/wp-content\/uploads\/2016\/06\/inProxy-768x336.png 768w, https:\/\/insinuator.net\/wp-content\/uploads\/2016\/06\/inProxy.png 922w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><figcaption id=\"caption-attachment-7228\" class=\"wp-caption-text\">Figure 2: Cleartext SAML Authentication request in Proxy history<\/figcaption><\/figure>\n<p>You can download SAMLReQuest <a href=\"http:\/\/www.ernw.de\/download\/SAMLReQuest_v1.jar\">here<\/a>. I will be delighted if you try it and kindly feel free to leave a comment if you have any suggestion on how to develop this extension or even have any comment.<\/p>\n<p>&nbsp;<\/p>\n<p class=\"western\">\n","protected":false},"excerpt":{"rendered":"<p>Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between a Service Provider (SP) and an\u00a0 Identification Provider (IdP). SAML is used in many Single Sign-On (SSO) implementations, when a user is authenticated once by IdP to access multiple related SPs. When a user requests to access a SP, [&hellip;]<\/p>\n","protected":false},"author":38,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[102,393,45],"ppma_author":[873],"class_list":["post-7226","post","type-post","status-publish","format-standard","hentry","category-breaking","tag-burp","tag-saml","tag-tool"],"authors":[{"term_id":873,"user_id":38,"is_guest":0,"slug":"aabolhadid","display_name":"Ahmad Abolhadid","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/41253a5ceb0e6cdbb6a72d4ecef3b09c78728a58a2eb684e2f0d00e75a6fa051?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/posts\/7226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/users\/38"}],"replies":[{"embeddable":true,"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/comments?post=7226"}],"version-history":[{"count":6,"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/posts\/7226\/revisions"}],"predecessor-version":[{"id":7240,"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/posts\/7226\/revisions\/7240"}],"wp:attachment":[{"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/media?parent=7226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/categories?post=7226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/tags?post=7226"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/insinuator.net\/wp-json\/wp\/v2\/ppma_author?post=7226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}