Direkt zum Hauptbereich

EsPReSSO - A good morning starts with coffee!

In this posts I describe the tool, I wrote for my Bachelor thesis at the Chair for Network and Data Security, with support of Context Information Security Ltd.. EsPReSSO is a apronym for "Extension for Recognition and Processing of Single Sing on Protocols". The basic idea behind EsPReSSO is to automate standard tasks to detect and classify the Single Sign-On (SSO) Protocols OpenID, BrowserID, SAML, OAuth, OpenID-Connect, Facebook Connect and Microsoft Account. The tool is integrate with PortSwigger's HTTP Proxy, Burp Suite. Furthermore EsPReSSO integrates the WS-Attacker, to attack SAML services semi-automated or manually.

EsPReSSO consist of two core components, the Scanner and the Attacker.

EsPReSSO Scanner


The SSO authentication process consists of a complex sequence of HTTP messages with different GET and POST parameters. During the analysis of the HTTP traffic of modern browsers important SSO messages are mixed with countless irrelevant messages like, advertisement messages or AJAX requests from other open tabs. In order to identify SSO messages we have to distinguish, at first, between OAuth based protocols, like OpenID Connect, Microsoft Account and Facebook Connect, and not OAuth based protocols like SAML, OpenID and BrowserID.
The latter of these protocols appeared to be easy to classify, due to their unique parameters. In contrary, the detection OAuth-Family protocols was not trivial. The similarities between the protocol flows made it hard to identify every protocol properly.
To simplify this analysis, EsPReSSO attempts to analyse and highlight SSO request send by the browser. The results can be reviewed in an extra history designed for SSO protocols as well as Burp Suite's built-in HTTP proxy history. To evaluate the single SSO messages better, EsPReSSO integrates a SAML, JSON and JWT (JSON Web Token) editor.

EsPReSSO Attacker


Together with the SAML editor EsPReSSO integrates the famous WS-Attacker, of the Chair for Network and Data Security, to manipulate request during the interception with Burp Suite. At the moment two attacks are implemented, XML Signature Wrapping and XML Signature Faking. With the first kind, it is possible to choose from over 200 different attack vectors. These attack vectors are automatically retrieved from a predefined setup. The user can choose and fine tune all of them before the modification is applied to the original message.
With the Signature Faking attack, a new signature will be computed for the given assertion.


EsPReSSO is based on Christian Mainka's 'BurpSSOExtension' and replaces it in its repository. Fork the project on GitHub and help us to develop an awesome tool.
Or use our Extension with Burps BApp Store.

Authors of this Post

This post was written by Tim Guenther and reviewed by Christian Mainka and Vladislav Mladenov.
Tim's Bachelor Thesis can be found at https://www.nds.rub.de/teaching/theses/espresso-ba/

Beliebte Posts aus diesem Blog

Printer Security

Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medical, or education institution.
From a security point of view, these machines are quite interesting since they are located in internal networks and have direct access to sensitive information like confidential reports, contracts or patient recipes.

TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of these is vulnerable to multiple attacks. We release an open-source tool that supported our analysis: PRinter Exploitation Toolkit (PRET) https://github.com/RUB-NDS/PRET Full results are available in the master thesis of Jens Müller and our paper. Furthermore, we have set up a wiki (http://hacking-printers.net/) to share knowledge on printer (in)security.
The hi…

CORS misconfigurations on a large scale

Inspired by James Kettle's great OWASP AppSec Europe talk on CORS misconfigurations, we decided to fiddle around with CORS security issues a bit. We were curious how many websites out there are actually vulnerable because of dynamically generated or misconfigured CORS headers. The issue: CORS misconfiguration Cross-Origin Resource Sharing (CORS) is a technique to punch holes into the Same-Origin Policy (SOP) – on purpose. It enables web servers to explicitly allow cross-site access to a certain resource by returning an Access-Control-Allow-Origin (ACAO) header. Sometimes, the value is even dynamically generated based on user-input such as the Origin header send by the browser. If misconfigured, an unintended website can access the resource. Furthermore, if the Access-Control-Allow-Credentials (ACAC) server header is set, an attacker can potentially leak sensitive information from a logged in user – which is almost as bad as XSS on the actual website. Below is a list of CORS misc…