EsPReSSO - A good morning starts with coffee!
In this posts I describe the tool, I wrote for my Bachelor thesis at the Chair for Network and Data Security, with support of Context Information Security Ltd.. EsPReSSO is a apronym for "Extension for Recognition and Processing of Single Sing on Protocols". The basic idea behind EsPReSSO is to automate standard tasks to detect and classify the Single Sign-On (SSO) Protocols OpenID, BrowserID, SAML, OAuth, OpenID-Connect, Facebook Connect and Microsoft Account. The tool is integrate with PortSwigger's HTTP Proxy, Burp Suite. Furthermore EsPReSSO integrates the WS-Attacker, to attack SAML services semi-automated or manually.EsPReSSO consist of two core components, the Scanner and the Attacker.
EsPReSSO Scanner
The SSO authentication process consists of a complex sequence of HTTP messages with different GET and POST parameters. During the analysis of the HTTP traffic of modern browsers important SSO messages are mixed with countless irrelevant messages like, advertisement messages or AJAX requests from other open tabs. In order to identify SSO messages we have to distinguish, at first, between OAuth based protocols, like OpenID Connect, Microsoft Account and Facebook Connect, and not OAuth based protocols like SAML, OpenID and BrowserID.
The latter of these protocols appeared to be easy to classify, due to their unique parameters. In contrary, the detection OAuth-Family protocols was not trivial. The similarities between the protocol flows made it hard to identify every protocol properly.
To simplify this analysis, EsPReSSO attempts to analyse and highlight SSO request send by the browser. The results can be reviewed in an extra history designed for SSO protocols as well as Burp Suite's built-in HTTP proxy history. To evaluate the single SSO messages better, EsPReSSO integrates a SAML, JSON and JWT (JSON Web Token) editor.
EsPReSSO Attacker
Together with the SAML editor EsPReSSO integrates the famous WS-Attacker, of the Chair for Network and Data Security, to manipulate request during the interception with Burp Suite. At the moment two attacks are implemented, XML Signature Wrapping and XML Signature Faking. With the first kind, it is possible to choose from over 200 different attack vectors. These attack vectors are automatically retrieved from a predefined setup. The user can choose and fine tune all of them before the modification is applied to the original message.
With the Signature Faking attack, a new signature will be computed for the given assertion.
Sources
EsPReSSO is based on Christian Mainka's 'BurpSSOExtension' and replaces it in its repository. Fork the project on GitHub and help us to develop an awesome tool.Or use our Extension with Burps BApp Store.
Authors of this Post
This post was written by Tim Guenther and reviewed by Christian Mainka and Vladislav Mladenov.Tim's Bachelor Thesis can be found at https://www.nds.rub.de/teaching/theses/espresso-ba/