Search for non-spec parameters

[aph3rson]

Per the SAML specification, any exchanged SAML payload should be in a parameter named SAMLRequest or SAMLResponse. However, developers occasionally don't follow spec, and use a differently-named parameter. This makes attempting SAML attacks with SAMLRaider difficult.

It would be desirable to have a feature where the target parameter (or a list thereof) could be customized. That way, if an application is out-of-spec, the list of potential parameters could be modified accordingly.

[emanuelduss]

Hello

Thanks for your input. I have not seen that so far but I believe you that this could be done sometimes. I'll consider that configuration option in a future release. But I can't tell you when I will work the next time on SAML Raider.

However, if you need this now, a quick fix / hack / workaround could be to use two Burp instances behind each other (one Burp instance is the upstream proxy of the other). The first will then perform a search/replace for SAMLRequest/SAMLResponse to the custom parameter name and vice-versa. I have not tried it but this should work somehow.

Best regards,
Emanuel

[emanuelduss]

Implemented in #49. Will be available in the next version.

[emanuelduss]

Released https://github.com/CompassSecurity/SAMLRaider/releases/tag/v1.3.0.