SAMLRaider icon indicating copy to clipboard operation
SAMLRaider copied to clipboard
verified publisher icon CompassSecurity

Editing SAMLResponse does not re-sign

Open mschwager opened this issue 1 year ago • 1 comments

Hi there,

Thanks for the great Burp extension, I use it frequently.

I'm running into some trouble performing custom modifications of SAML responses. Here's what I'd like to do: modify the SAML response (delete some attributes, change some text, etc.), then have it re-encoded / re-signed with the original certificate, not an edited certificate. Whenever I modify the response content in the "SAML Attacks" tab and forward the response the extension does not re-sign with the original certificate.

I'm not sure if this functionality existed at some point, and broke, or if it never existed at all. I'm basing that off some instruction I've seen in a few places:

  • https://blog.compass-security.com/2016/11/samlrequest-support-for-saml-raider/
    • "Now it is very easy to modify the SAMLRequest. The SAMLRequest is automatically encoded back in it’s original format and forwarded to the target, if the Forward button is clicked."
  • https://github.com/CompassSecurity/SAMLRaider#message-editor
    • "Edit SAML messages (SAMLRequest, SAMLResponse & custom parameter names)"

Am I missing some piece of functionality, or misunderstanding some instructions?

This is with the following versions:

  • Burp Suite Professional: v2024.1.1.6
  • SAML Raider: 1.4.1

mschwager avatar Apr 02 '24 13:04 mschwager

Hi

I'm not sure if I understand your question correctly, because in the text you write about a SAML response and in the linked posts you mention SAML requests. What type of SAML message do you mean?

If you have a SAML response (SAML assertion, where your identity is confirmed), you can edit and re-encode/re-sign it using the original certificate. For this, you first have to import the original certificate and the according private key (because without the private key, you cannot sign anything). This can be done in the "SAML Raider Certificates" tab of Burp. When imported, you can then intercept the SAML response, perform the modifications, and re-sign the response (the entire response message, or only the assertion).

Best, Mänu

emanuelduss avatar May 06 '24 14:05 emanuelduss

Thanks for the response, I think I understand what I was doing wrong.

At first I didn't understand that importing the private key is a separate operation. Once I clicked the "Traditional RSA PEM" button on the "SAML Raider Certificates" tab I could successfully edit and re-sign intercepted messages.

I also ran into https://github.com/CompassSecurity/SAMLRaider/issues/37, but the fix there worked for me as well.

Thanks again for your help!

mschwager avatar May 29 '24 12:05 mschwager