rub-nds / burpssoextension Goto Github PK

Clearing History brings the Error, that "This Action is not yet implemented"

Current workaround is to close and restart Burp.

Hi,

I am using Burp 1.7.36 and started it with Java 1.8
So when I try to use Signature Wrapping from Attacker tab, I am facing the error below.
How can I solve it?

Regards,

sh-3.2# java -jar burpsuite_community_v1.7.36.jar
+-----------------------------------------------------------------------+
| EsPReSSO - Extension for Processing and Recognition of Single Sign-on |
| Started @ 15:52:51 |
+-----------------------------------------------------------------------+
[I] 15:52:51 - [burp.BurpExtender]: Tab registered.
[I] 15:52:51 - [burp.BurpExtender]: Scanner registered.
[I] 15:52:51 - [burp.BurpExtender]: SAML editor registered.
[I] 15:52:51 - [burp.BurpExtender]: JSON editor registered.
[I] 15:52:51 - [burp.BurpExtender]: JWT editor registered.
[I] 15:52:51 - [burp.BurpExtender]: ExtensionStateListener registered
[I] 15:52:51 - [burp.BurpExtender]: Init. complete.
[D] 16:04:44 - [de.rub.nds.burp.espresso.scanner.ScanAndMarkSSO]: SAML Authentication Request
[D] 16:04:44 - [de.rub.nds.burp.utilities.protocols.SAML]: Analyse: SAML with ID: xxxxxxx
[D] 16:04:57 - [de.rub.nds.burp.espresso.scanner.ScanAndMarkSSO]: SAML Authentication Request
[D] 16:04:57 - [de.rub.nds.burp.utilities.protocols.SAML]: Analyse: SAML with ID: xxxxxxx
[D] 16:04:57 - [de.rub.nds.burp.utilities.protocols.SAML]: (SAML )
[D] 16:04:57 - [de.rub.nds.burp.utilities.protocols.SAML]: Probability: 1.0
[D] 16:05:12 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: Editor@1415845757 attached.
[D] 16:05:16 - [de.rub.nds.burp.espresso.scanner.ScanAndMarkSSO]: SAML Authentication Request
[D] 16:05:16 - [de.rub.nds.burp.utilities.protocols.SAML]: Analyse: SAML with ID: xxxxxxx
[D] 16:05:16 - [de.rub.nds.burp.utilities.protocols.SAML]: (SAML SAML )
[D] 16:05:16 - [de.rub.nds.burp.utilities.protocols.SAML]: Probability: 1.0
[D] 16:05:16 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: Editor@1415845757 attached.
[D] 16:05:17 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: Start setMessage().
[D] 16:05:17 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: Activate tabs.
[D] 16:05:17 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: Begin XML deserialization.
[D] 16:05:17 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: SAMLResponsedeserialized.
[D] 16:05:17 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: Notify all tabs.
[D] 16:05:17 - [de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab]: End setMessage().
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.rangeCheck(ArrayList.java:657)
at java.util.ArrayList.get(ArrayList.java:433)
at de.rub.nds.burp.espresso.gui.attacker.saml.xsw.UISigWrapAttackInit.jButtonGenerateVectorsActionPerformed(UISigWrapAttackInit.java:353)
at de.rub.nds.burp.espresso.gui.attacker.saml.xsw.UISigWrapAttackInit.access$100(UISigWrapAttackInit.java:62)
at de.rub.nds.burp.espresso.gui.attacker.saml.xsw.UISigWrapAttackInit$2.actionPerformed(UISigWrapAttackInit.java:133)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022)
at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2348)
at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252)
at java.awt.Component.processMouseEvent(Component.java:6533)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3324)
at java.awt.Component.processEvent(Component.java:6298)
at java.awt.Container.processEvent(Container.java:2236)
at java.awt.Component.dispatchEventImpl(Component.java:4889)
at java.awt.Container.dispatchEventImpl(Container.java:2294)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4888)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4525)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4466)
at java.awt.Container.dispatchEventImpl(Container.java:2280)
at java.awt.Window.dispatchEventImpl(Window.java:2746)
at java.awt.Component.dispatchEvent(Component.java:4711)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:90)
at java.awt.EventQueue$4.run(EventQueue.java:731)
at java.awt.EventQueue$4.run(EventQueue.java:729)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:80)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

Hi, I found a vulnerability on this extension. The vulnerability exists in the EsPReSSO version that is on the BApp Store (1.0?) and also on the latest release (2.0.1) on Github.
How would you like me to report it?
Please provide the appropriate contact information or instructions for where to report it.

I am trying to get my head around the intent of the attacker interface. I have read Tim Guenther's Thesis. Specifically the choosing of an attack vector for signature wrapping: is the intent to attempt an attack for each vector? This seems awkward as there could be hundreds. Also, I notice that the oracle increments the attack could after each attempt even though I have not modified the payload, perhaps this is because the payload is now permanently modified.

Please make EsPReSSO use ".EsPReSSO" instead of "EsPReSSO". It makes my home directory messy. :)

Hi,

it would be nice if the extension would be able to detect JSON Web Tokens (JWT) as well, as they are also frequently used for single sign-on. Such a token consists of the Base64URL-encoded chunks separated by two dots, for example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Note that the = signs that are used for padding are stripped away at the end of each Base64 chunk and re-added just before the token is decoded. Also, + signs are replaced by - signs and / is replaced by _ (that's what Base64URL encoding does). Look at this JWT implementation at lines 29 and 44 to see an example. I'm explaining this because I thought it could make a difference when trying to detect such tokens in HTTP traffic.

Cheers
Thomas

Linux works fine.

I cannot edit the payload window with the keyboard, but I can work around this just by using the mouse and using the context menu. I have to copy and paste any changes I need. The linux version allows keyboard input. Other elements of burp allow keyboard input.

If you use the *Extension -> EsPrESSO" Tab in the interception tab to view or edit SAML content, and you click on forward (ctrl-f), the next inteception tab will not show up any extensions.

Current work around:
Before you click on "Forward" you have to leave the extension tab by going back to the "RAW" view.
Then it works. If you forget once, you have to restart Burp...

Documentation

Normally, it should look like this:

If the error occurs, the extension tab is missing:

Running in recent Kali Linux with OpenJDK 11.

EsPReSSO fails to parse some SAML requests. The Source Code tab of EsPReSSO says:

<error>Something went wrong during init.!</error>

...and SAML Request tab is empty. Error log in burp has this:

[E] 12:10:11 - [de.rub.nds.burp.espresso.gui.attacker.saml.UISigWrapAttack]:	org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
	com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257)
	com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:348)
	wsattacker.library.xmlutilities.dom.DomUtilities.stringToDom(DomUtilities.java:468)
	de.rub.nds.burp.espresso.gui.attacker.saml.UISigWrapAttack.initXsw(UISigWrapAttack.java:332)
	de.rub.nds.burp.espresso.gui.attacker.saml.UISigWrapAttack.setCode(UISigWrapAttack.java:386)
	de.rub.nds.burp.utilities.listeners.CodeListenerController.notifyAll(CodeListenerController.java:60)
	de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab.setMessage(SAMLEditor.java:230)
	burp.v2c.a(Unknown Source)
	burp.rmb.a(Unknown Source)
	burp.rmb.b(Unknown Source)
	burp.pn.run(Unknown Source)
	java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
	java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
	java.awt.EventQueue.access$500(EventQueue.java:97)
	java.awt.EventQueue$3.run(EventQueue.java:709)
	java.awt.EventQueue$3.run(EventQueue.java:703)
	java.security.AccessController.doPrivileged(Native Method)
	java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:76)
	java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
	java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

java.lang.NullPointerException
	at burp.v2c.a(Unknown Source)
	at burp.rmb.a(Unknown Source)
	at burp.rmb.b(Unknown Source)
	at burp.pn.run(Unknown Source)
	at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:76)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

This is tested on Burp versions 1.7.13 and 1.6.01 with Oracle Java 1.8.0_60-b27 as well as OpenJDK.

It would be nice if Packets could be Sent to Repeater directly from the EsPReSSO. Currently you have to go to Proxy history and get the packet there.

See RUB-NDS/JOSEPH#17