An extension for BurpSuite that highlights SSO messages in Burp's proxy window..
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Build Status licence release status

Extension for Processing and Recognition of Single Sign-On Protocols

The extension is based on the BurpSSO Extension, developed by the Chair of Network and Data Security, Ruhr University Bochum and the Hackmanit GmbH. The extension is part of a bachelor thesis by Tim Guenther at the Ruhr-University Bochum in cooperation with Context Information Security Ltd..



Supported Protocols:

  • SAML
  • OpenID
  • OAuth
  • BrowserId
  • OpenID Connect
  • Facebook Connect
  • Microsoft Account


  • WS-Attacker integration while intercepting SAML messages
  • DTD-Attacker integration while intercepting SAML messages


  • Syntax Highlight
  • Highlight SSO messages in proxy window and display the protocol type
  • Show all recognized SSO messages in a history tab
  • Context menu for 'Analyze SSO Protocol'


  • View and edit SAML
  • View JSON and JSON Web Token (JWT)


$ mvn clean package

(Please start Burp with Java 1.8)

Installation and Usage

  • Build the JAR file as described above, or download it from releases.
  • Load the JAR file from the target folder into Burp's Extender. (Start Burp with Java 1.8)
  • SSO messages are highlighted automatically in Burp's HTTP history (Proxy tab).
  • SAML, JSON and JWT editors and viewers attached automatically.
  • A SSO History, Options and Help can be found in a new tab called 'EsPReSSO'.

Dependencies and Licences

Dependencie Licence Access Date Link Copyright (c) Date, Name
RSyntaxTextArea modified BSD license 20.09.2015 2012, Robert Futrell
json-simple Apache License 2.0 20.09.2015 Unkown, Yidong Fang
WSAttacker GNU General Public License v2.0 20.09.2015 2012, Christain Mainka, Andreas Falkenberg, Jurai Somorovski, et al.
junit Eclipse Public License 1.0 12.03.2018 Unkown, Erich Gamma and Kent Beck.
jutf7 MIT license 12.03.2018 2011, Jaap Beetstra
commons-io Apache License 2.0 12.03.2018 2012, Scott Sanders, et al.

Tested with:

  • Java 1.8.0._151
  • Burp Suite 1.7.32
  • Ubuntu 16.04.3 LTS, amd64
  • Netbeans 8.2
  • Maven 3.3.9