Fixes on v1.2.0

[thariyarox]

This PR contains following fixes done on top of SAML Raider v1.2.0.

1. Unit test for XSW1 was not complete previously and with this it is completed.
2. A new textbox 'Evil Subject' is added to the GUI. A user can enter the username of the victim account in this textbox and apply a particular XSW. When the malicious SAML response is generated, the evil assertion's name identifier value is replaced with the value in this textbox if it is provided. The user does not need to manually modify the evil assertion with this improvement.
3. All the unit tests were directly calling particular XSW attack methods without calling the common applyXSW method passing the XSW type as a parameter. Now all unit tests are calling the common method passing the particular XSW type.
4. The image that showed all XSW attacks' XML tree had incorrect diagrams. XSW2 diagram was not correct which actually was a duplicate of XSW1 diagram. XSW5 was also not correct which actually was a duplicate of XSW4 diagram. Apart from that, the XML tree was showing Assertion -> Assertion -> Subject for original assertion where the correct tree should be Assertion -> Subject. All the XSW attacks diagrams are corrected with this pull request.

[emanuelduss]

Hey @thariyarox

Thanks very much for your work, which we really appreciate! This are nice features/improvements/fixes!

I'll publish the new release 1.3.0 soon.

[emanuelduss]

Hi @thariyarox

Today I had time to check the new added code. I had some issues concerning the new introduced textbox.

I tried several assertions, but it was not possible to apply the XSW attacks. The problem is, that the content of the textbox is replacing the content of the XML tag NameID, which is not always available. See here for an example: https://github.com/SAMLRaider/SAMLRaider/blob/master/scripts/samltest/saml_response.xml.

In some assertions, the the NameID tag is available, but just a Transient Identifier (see https://www.oasis-open.org/committees/download.php/4587/ chapter 7.3.7), which is only a temporary id, which will not contain a username or something like that.

I think it's quite difficult to implement atextbox to set the evil subject on the correct position. Sometimes, you may want to change a e-mail address and sometimes a group the user belongs to. These can be in one or more attribute statement. During a test, the part(s) I want to change in the evil assertion can be anywhere. That's why I had to revert the commits related to the textbox. Sorry.

But I thank you anyway for the other commits!

[thariyarox]

Hi Emanuel,

No worries. I would like to contribute with new attack types. I will send a PR later.

Thanks !