Skip to content
DupeKeyInjector
Java
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
resources
src/main/java
.gitignore remove target Aug 2, 2019
LICENSE.md
README.md
pom.xml
screenshot.png

README.md

Dupe Key Injector

Dupe Key Injetctor is a Burp Suite extension implementing Dupe Key Confusion, a new XML signature bypass technique presented at BSides/BlackHat/DEFCON 2019 "SSO Wars: The Token Menace" presentation.

Description

Dupe Key Confusion is a new attack to bypass XML signature verification by sending multiple key identifiers in the KeyInfo section. Vulnerable systems will use the first one to verify the XML signature and the second one to verify the trust on the signing party. This plugin applies this technique to SAML tokens by allowing to modify and then resign the SAML assertion with an arbitrary attacker-controlled key which is then send as the first element of the KeyInfo section, while the original key identifier is sent as the second key identifier.

For more details about this technique, please refer to the following materials:

Screenshot

Usage

Intercept a SAML request and use the Dupe Key Injector tab to modify the assertion and then re-sign it using one of the following techniques:

  • Re-sign with RSA key.
  • Re-sign with public certificate (only enabled when a public base64 certificate has been imported).

Build

mvn package

Authors

This plugin was developed as part of a Micro Focus Fortify research by:

Thanks

This plugin is strongly based on SAML Raider. It actually uses many of the helper methods to process SAML tokens and XML documents from this project.

License

MIT License

You can’t perform that action at this time.