Skip to content

An extension for BurpSuite that highlights SSO messages in Burp's proxy window..

Notifications You must be signed in to change notification settings

stephenbradshaw/espresso

 
 

Repository files navigation

EsPReSSO

Build Status licence release status

Extension for Processing and Recognition of Single Sign-On Protocols

The extension is based on the BurpSSO Extension, developed by the Chair of Network and Data Security, Ruhr University Bochum and the Hackmanit GmbH. The extension is part of a bachelor thesis by Tim Guenther at the Ruhr-University Bochum in cooperation with Context Information Security Ltd..

Features

Detecting

Supported Protocols:

  • SAML
  • OpenID
  • OAuth
  • BrowserId
  • OpenID Connect
  • Facebook Connect
  • Microsoft Account

Attacking

  • WS-Attacker integration while intercepting SAML messages
  • DTD-Attacker integration while intercepting SAML messages
  • XML-Encryption-Attacker integration while intercepting SAML messages

Beautifier

  • Syntax Highlight
  • Highlight SSO messages in proxy window and display the protocol type
  • Show all recognized SSO messages in a history tab
  • Context menu for 'Analyze SSO Protocol'

Editors/Viewers

  • View and edit SAML
  • View JSON and JSON Web Token (JWT)

Build

$ mvn clean package

(Please start Burp with Java 1.8)

Installation and Usage

  • Build the JAR file as described above, or download it from releases.
  • Load the JAR file from the target folder into Burp's Extender. (Start Burp with Java 1.8)
  • SSO messages are highlighted automatically in Burp's HTTP history (Proxy tab).
  • SAML, JSON and JWT editors and viewers attached automatically.
  • A SSO History, Options and Help can be found in a new tab called 'EsPReSSO'.

Dependencies and Licences

Dependency Licence Access Date Link Copyright (c) Date, Name
RSyntaxTextArea modified BSD license 20.09.2015 https://github.com/bobbylight/RSyntaxTextArea 2012, Robert Futrell
json-simple Apache License 2.0 20.09.2015 https://code.google.com/p/json-simple/ Unkown, Yidong Fang
WSAttacker GNU General Public License v2.0 20.09.2015 https://github.com/RUB-NDS/WS-Attacker/ 2012, Christain Mainka, Andreas Falkenberg, Jurai Somorovski, et al.
junit Eclipse Public License 1.0 12.03.2018 https://github.com/junit-team/junit4 Unkown, Erich Gamma and Kent Beck.
jutf7 MIT license 12.03.2018 https://sourceforge.net/projects/jutf7/ 2011, Jaap Beetstra
commons-io Apache License 2.0 12.03.2018 https://github.com/apache/commons-io 2012, Scott Sanders, et al.

Tested with:

  • Java 1.8.0._151
  • Burp Suite 1.7.36
  • Ubuntu 16.04.3 LTS, amd64
  • Netbeans 8.2
  • Maven 3.3.9

About

An extension for BurpSuite that highlights SSO messages in Burp's proxy window..

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 99.8%
  • HTML 0.2%