RUB-NDS/BurpSSOExtension RUB-NDS/BurpSSOExtension

  • Stars
    star
    116
  • Rank 303,894 (Top 6 %)
  • Language
    Java
  • License
    Other
  • Created over 9 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
RUB-NDS/BurpSSOExtension
github

RUB-NDS

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An extension for BurpSuite that highlights SSO messages in Burp's proxy window..

EsPReSSO

Build Status licence release status

Extension for Processing and Recognition of Single Sign-On Protocols

The extension is based on the BurpSSO Extension, developed by the Chair of Network and Data Security, Ruhr University Bochum and the Hackmanit GmbH. The extension is part of a bachelor thesis by Tim Guenther at the Ruhr-University Bochum in cooperation with Context Information Security Ltd..

Features

Detecting

Supported Protocols:

  • SAML
  • OpenID
  • OAuth
  • BrowserId
  • OpenID Connect
  • Facebook Connect
  • Microsoft Account

Attacking

  • WS-Attacker integration while intercepting SAML messages
  • DTD-Attacker integration while intercepting SAML messages
  • XML-Encryption-Attacker integration while intercepting SAML messages

Beautifier

  • Syntax Highlight
  • Highlight SSO messages in proxy window and display the protocol type
  • Show all recognized SSO messages in a history tab
  • Context menu for 'Analyze SSO Protocol'

Editors/Viewers

  • View and edit SAML
  • View JSON and JSON Web Token (JWT)

Build

$ mvn clean package

(Please start Burp with Java 1.8)

Installation and Usage

  • Build the JAR file as described above, or download it from releases.
  • Load the JAR file from the target folder into Burp's Extender. (Start Burp with Java 1.8)
  • SSO messages are highlighted automatically in Burp's HTTP history (Proxy tab).
  • SAML, JSON and JWT editors and viewers attached automatically.
  • A SSO History, Options and Help can be found in a new tab called 'EsPReSSO'.

Dependencies and Licences

Dependency Licence Access Date Link Copyright (c) Date, Name
RSyntaxTextArea modified BSD license 20.09.2015 https://github.com/bobbylight/RSyntaxTextArea 2012, Robert Futrell
json-simple Apache License 2.0 20.09.2015 https://code.google.com/p/json-simple/ Unkown, Yidong Fang
WSAttacker GNU General Public License v2.0 20.09.2015 https://github.com/RUB-NDS/WS-Attacker/ 2012, Christain Mainka, Andreas Falkenberg, Jurai Somorovski, et al.
junit Eclipse Public License 1.0 12.03.2018 https://github.com/junit-team/junit4 Unkown, Erich Gamma and Kent Beck.
jutf7 MIT license 12.03.2018 https://sourceforge.net/projects/jutf7/ 2011, Jaap Beetstra
commons-io Apache License 2.0 12.03.2018 https://github.com/apache/commons-io 2012, Scott Sanders, et al.

Tested with:

  • Java 1.8.0._151
  • Burp Suite 1.7.36
  • Ubuntu 16.04.3 LTS, amd64
  • Netbeans 8.2
  • Maven 3.3.9

More Repositories

1

PRET

Printer Exploitation Toolkit - The tool that made dumpster diving obsolete.
Python
3,909
star
2

Terrapin-Scanner

This repository contains a simple vulnerability scanner for the Terrapin attack present in the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
Go
887
star
3

WS-Attacker

WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum (https://nds.rub.de/ ) and the Hackmanit GmbH (https://www.hackmanit.de/).
Java
469
star
4

CORStest

A simple CORS misconfiguration scanner
Python
387
star
5

Metadata-Attacker

A tool to generate media files with malicious metadata
PHP
124
star
6

PDF101

Artifacts for the Black Hat talk.
Python
97
star
7

REST-Attacker

REST-Attacker is designed as a proof-of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research.
Python
78
star
8

xsinator.com

XS-Leak Browser Test Suite
JavaScript
68
star
9

alpaca-code

Artifacts to the ALPACA attack.
C
60
star
10

DTD-Attacks

Tests for different parsers from Ruby, Python, .NET, PHP, Perl, Java
Java
57
star
11

Johnny-You-Are-Fired

Artifacts for the USENIX publication.
57
star
12

MS-RMS-Attacks

Breaking the security of Microsoft's RMS
C++
51
star
13

Terrapin-Artifacts

This repository contains the artifacts for the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
Python
46
star
14

JOSEPH

Java
32
star
15

OpenID-Attacker

Java
27
star
16

PrOfESSOS

PrOfESSOS is our open source implementation for fully automated Evaluation-as-a-Service for SSO. PrOfESSOS introduces a generic approach to improve the security of OpenID Connect implementations by systematically detecting vulnerabilities.
Java
27
star
17

SAML-XXE-Test

Simple XXE test suite generated specifically for SAML interfaces
Python
21
star
18

pdf-attacker

Python
21
star
19

thesis_layout

Latex template for students writing a bachelor or master thesis
TeX
18
star
20

ikev1-psk-main-mode-dict-attacker

Proof-of-Concept Dictionary Attacker against IKEv1 PSK in Main Mode
Python
16
star
21

SocketProxy

Simple proxy designed to intercept and modify connections on the transport level. This means you can also modify TLS raw bytes.
Java
16
star
22

Office-Security

Artifacts for the WOOT publication.
HTML
14
star
23

FutureTrust

FutureTrust analyzes electronic identification (eID) services in Europe and beyond. It is funded within the EU Framework Programme for Research and Innovation (Horizon 2020).
Java
11
star
24

DISTINCT

Dynamic In-Browser Single Sign-On Tracer Inspecting Novel Communication Techniques
JavaScript
10
star
25

OOXML_Signature_Security

USENIX 2023 Artifacts
10
star
26

AutoLeak

Find XS-Leaks in the browser by diffing DOM-Graphs in two states
JavaScript
10
star
27

your-sop.com

PHP
9
star
28

SOAP-Test-Webservices

SOAP webservices of different SOAP frameworks including samples for WS-Security.
Java
8
star
29

Covert-Content-Attacks

Artifacts for the DEF CON talk.
6
star
30

exposee_layout

Latex template for students writing an exposé for a seminar or thesis
TeX
6
star
31

WS-TLS-Scanner

The TLS-Scanner for the SIWECOS Project
Java
6
star
32

CVE-2020-2655-DemoServer

Java
5
star
33

SECRET

A Secure, Efficient, and Collaborative Real-Time Web Editor
CoffeeScript
5
star
34

Gridcoin-Attacks

The source code of our attacking tool described in the paper "Breaking and Fixing Gridcoin" published at WOOT'17, see also:
C++
5
star
35

JavaCryptoExamples

Examples for using Java Crypto
Java
4
star
36

Terrapin-Website

This repository hosts the public website for the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation" via GitHub Pages.
HTML
4
star
37

RKE

Implementation of ratcheted key exchange protocol (Poettering and Rösler, CRYPTO 2018, https://ia.cr/2018/296) by Marco Smeets
Java
4
star
38

WS-Attacker-Plugin_Denial_of_Service

Denial_of_Service - A git submodule for WS-Attacker
Java
3
star
39

SyncEnc-Keyserver

A Key Management Server for SyncEnc
JavaScript
2
star
40

WS-Attacker-Library_Intelligent_Denial_of_Service_Library

Intelligent_Denial_of_Service_Library - A git submodule for WS-Attacker
Java
2
star
41

PDF-Tester

PDF Tester can be used to evaluate the signature status of a PDF document under different PDF applications.
C#
2
star
42

JsseTLS

Java
2
star
43

BouncyCastleTLS

BouncyCastle TLS examples
Java
2
star
44

WS-Attacker-Library_Signature_Faking_Library

Signature_Faking_Library - A git submodule for WS-Attacker
Java
1
star
45

alpaca-attack

HTML
1
star
46

AKE-Cryptoverif-Tutorial

HTML
1
star
47

Mitigation-of-Attacks-on-Email-E2E-Encryption

Research Artifacts for the Publication "Mitigation of Attacks on Email End-to-End Encryption"
Python
1
star
48

IPsec-StateMachineExtractor

Extract the state machine of an IKEv1/IKEv2 implementation
Java
1
star
49

SyncEnc-App

Java
1
star
50

WS-Attacker-Library_XML_Encryption_Attack_Library

XML_Encryption_Attack_Library - A git submodule for WS-Attacker
Java
1
star
51

Single-Sign-On-Libraries

Java
1
star
52

ShareJSXML

Library to allow concurrent editing of XML documents using Operational Transforms based on ShareJS 0.6
CoffeeScript
1
star
53

SyncEnc-Demonstrator

A Demonstrator for Collaborative Encrypted Editing
JavaScript
1
star
54

WS-Attacker-Plugin_SoapAction_Spoofing

SoapAction_Spoofing - A git submodule for WS-Attacker
Java
1
star
55

WS-Attacker-Plugin_Signature_Wrapping

Signature_Wrapping - A git submodule for WS-Attacker
Java
1
star
56

WS-Attacker-Plugin_XML_Encryption_Attack

XML_Encryption_Attack - A git submodule for WS-Attacker
Java
1
star
57

WS-Attacker-Plugin_Intelligent_Denial_of_Service

Intelligent_Denial_of_Service - A git submodule for WS-Attacker
Java
1
star
58

XMLSec-WebCrypto

An implementation for the XML Security Standard using the W3C WebCrypto API
CoffeeScript
1
star
59

oidc-docker-libs

Python
1
star
60

medfuzz

Fuzzing plattform for medical protocols
C++
1
star
61

DocumentSignatureValidator

Automation tool for evaluating the signature status of office documents
C++
1
star
62

WS-Attacker-Library_SoapHttpClient

SoapHttpClient - A git submodule for WS-Attacker
Java
1
star
63

WS-Attacker-Library_Signature_Wrapping

Signature_Wrapping_Library - A git submodule for WS-Attacker
Java
1
star
64

WS-Attacker-Plugin_WS_Addressing_Spoofing

WS_Addressing_Spoofing - A git submodule for WS-Attacker
Java
1
star
65

WS-Attacker-Library_XML_Utilities

WS-Attacker-Library_XML-Utilities- A git submodule for WS-Attacker
Java
1
star
66

WS-Attacker-Plugin_OptionsTesterPlugin

OptionsTesterPlugin - A git submodule for WS-Attacker
Java
1
star
67

WS-Attacker-Library_Schema_Analyzer

Schema_Analyzer_Library - A git submodule for WS-Attacker
Java
1
star