An extension for BurpSuite that highlights SSO messages in Burp's proxy window..
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
doc/apidocs
src
.gitignore
.travis.yml
BappDescription.html
BappManifest.bmf
README.md
license_header.txt
pom.xml

README.md

EsPReSSO

Build Status licence release status

Extension for Processing and Recognition of Single Sign-On Protocols

The extension is based on the BurpSSO Extension, developed by the Chair of Network and Data Security, Ruhr University Bochum and the Hackmanit GmbH. The extension is part of a bachelor thesis by Tim Guenther at the Ruhr-University Bochum in cooperation with Context Information Security Ltd..

Features

Detecting

Supported Protocols:

  • SAML
  • OpenID
  • OAuth
  • BrowserId
  • OpenID Connect
  • Facebook Connect
  • Microsoft Account

Attacking

  • WS-Attacker integration while intercepting SAML messages
  • DTD-Attacker integration while intercepting SAML messages

Beautifier

  • Syntax Highlight
  • Highlight SSO messages in proxy window and display the protocol type
  • Show all recognized SSO messages in a history tab
  • Context menu for 'Analyze SSO Protocol'

Editors/Viewers

  • View and edit SAML
  • View JSON and JSON Web Token (JWT)

Build

$ mvn clean package

(Please start Burp with Java 1.8)

Installation and Usage

  • Build the JAR file as described above, or download it from releases.
  • Load the JAR file from the target folder into Burp's Extender. (Start Burp with Java 1.8)
  • SSO messages are highlighted automatically in Burp's HTTP history (Proxy tab).
  • SAML, JSON and JWT editors and viewers attached automatically.
  • A SSO History, Options and Help can be found in a new tab called 'EsPReSSO'.

Dependencies and Licences

Dependencie Licence Access Date Link Copyright (c) Date, Name
RSyntaxTextArea modified BSD license 20.09.2015 https://github.com/bobbylight/RSyntaxTextArea 2012, Robert Futrell
json-simple Apache License 2.0 20.09.2015 https://code.google.com/p/json-simple/ Unkown, Yidong Fang
WSAttacker GNU General Public License v2.0 20.09.2015 https://github.com/RUB-NDS/WS-Attacker/ 2012, Christain Mainka, Andreas Falkenberg, Jurai Somorovski, et al.
junit Eclipse Public License 1.0 12.03.2018 https://github.com/junit-team/junit4 Unkown, Erich Gamma and Kent Beck.
jutf7 MIT license 12.03.2018 https://sourceforge.net/projects/jutf7/ 2011, Jaap Beetstra
commons-io Apache License 2.0 12.03.2018 https://github.com/apache/commons-io 2012, Scott Sanders, et al.

Tested with:

  • Java 1.8.0._151
  • Burp Suite 1.7.32
  • Ubuntu 16.04.3 LTS, amd64
  • Netbeans 8.2
  • Maven 3.3.9