SAMLRaider icon indicating copy to clipboard operation
SAMLRaider copied to clipboard
verified publisher icon CompassSecurity

SAML Attacks Not Forwarded Correctly With BurpSuite 2024.7.x

Open edmacke opened this issue 1 year ago • 3 comments

After a recent BurpSuite upgrade, SAML Raider's attacks get applied but not forwarded.

I intercept the SAMLResponse request, and apply a SAML attack, but what gets forwarded is the original, unaltered request, not the SAMLRaider-altered version.

For example, I intercept a SAMLResponse request, and apply the SAML attack "Remove Signatures". I get the orange verification text "Message signature successful removed", and I can see that the signature has indeed been removed. I click on "Forward" to send the edited message on its way.

But what actually gets forwarded is original request. I can verify this by looking in the HTTP history and seeing that there are only 2 options for the request: "Original request" and "Auto-modified request". They are both exactly the same: the original request without the SAML attack applied. There is no "Edited request" option like you'd normally see when the SAML attack was actually sent.

Using SAML Raider 2.0.0. This behavior seems to happen with all BS 2024.7.x releases and seems to work fine with BS 2024.6.6.

Have tried all the usual: rebooting, disable/enable and re-installing SAML Raider. It looks like BurpSuite made some changes to their proxy starting with 2024.7.3 and I wonder if those changes are not SAML Raider compatible?

edmacke avatar Aug 30 '24 21:08 edmacke

Hi @edmacke

Thanks for your report. Will look at it a soon as possible.

Tobias

tobiashort avatar Aug 31 '24 06:08 tobiashort

Hi @edmacke

I have looked into this bug. I am afraid that this is probably not a bug in our extension, but a bug introduced by BurpSuite. I tried the sample extension code from https://github.com/PortSwigger/burp-extensions-montoya-api-examples/tree/main/customrequesteditortab and it turns out that this sample code is also prone to the same bug.

The following video should demonstrate this: https://github.com/user-attachments/assets/c50a57df-8151-486a-9bb1-2e45410fa543

I have filed a bug here: https://forum.portswigger.net/thread/2024-7-5-montoya-api-extensions-custom-editor-tab-modified-requests-not-forwarded-d575daab?CategoryId=bug-reports

tobiashort avatar Sep 01 '24 19:09 tobiashort

In case someone reads this and didn't find the (mentioned) workaround for this bug:

  1. Intercept the relevant request
  2. Apply whatever changes you want using SAMLRaider
  3. Go back to the "Pretty" view tab
  4. Send / forward the request, it should not use the edited request!

ville87 avatar Sep 04 '24 10:09 ville87

Will close this issue for now.

tobiashort avatar Nov 13 '24 05:11 tobiashort