Skip to content

Commit

Permalink
Added XML signature wrapping fix and associated functionality
Browse files Browse the repository at this point in the history
  • Loading branch information
Stephen Bradshaw committed May 25, 2020
1 parent 7130c3b commit 5988f0f
Show file tree
Hide file tree
Showing 9 changed files with 266 additions and 63 deletions.
3 changes: 3 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,6 @@ release.properties
*.swo
*.swp
target/
.classpath
.project
.settings/
5 changes: 5 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,11 @@
<version>1.9</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>jakarta.xml.ws</groupId>
<artifactId>jakarta.xml.ws-api</artifactId>
<version>2.3.3</version>
</dependency>
</dependencies>

<repositories>
Expand Down
5 changes: 5 additions & 0 deletions src/main/java/de/rub/nds/burp/espresso/editor/saml/SAMLEditor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ public class SAMLEditor implements IMessageEditorTabFactory{

private final String samlRequest = "SAMLRequest";
private final String samlResponse = "SAMLResponse";
private final String samlAssertion = "SAMLAssertion";
private final String signature = "Signature";
private final String signatureAlgorithm = "SigAlg";

Expand Down Expand Up @@ -198,6 +199,10 @@ private boolean isSAML(byte[] content) {
if (null != samlContent){
return true;
}
samlContent = helpers.getRequestParameter(content, samlAssertion);
if (null != samlContent){
return true;
}
return false;
}

Expand Down
67 changes: 51 additions & 16 deletions src/main/java/de/rub/nds/burp/espresso/gui/attacker/saml/xsw/UISigWrapAttackInit.form
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,7 @@
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="rTextScrollPane" max="32767" attributes="0"/>
<Component id="jButtonAdd" alignment="0" max="32767" attributes="0"/>
<Component id="jSeparator3" alignment="1" max="32767" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Component id="jLabel3" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" max="-2" attributes="0"/>
<Component id="jTextFieldCurrentValue" max="32767" attributes="0"/>
<EmptySpace min="-2" max="-2" attributes="0"/>
<Component id="jLabel4" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" max="-2" attributes="0"/>
<Component id="jTextFieldNewValue" max="32767" attributes="0"/>
</Group>
<Component id="jSeparator4" alignment="0" max="32767" attributes="0"/>
<Component id="jScrollPaneTable" alignment="0" max="32767" attributes="0"/>
<Group type="102" attributes="0">
Expand All @@ -48,13 +38,40 @@
</Group>
<Component id="jButtonReload" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace min="0" pref="171" max="32767" attributes="0"/>
<EmptySpace min="0" pref="0" max="32767" attributes="0"/>
</Group>
<Group type="102" attributes="0">
<Component id="jLabel1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="jCheckBoxWrapLines" min="-2" max="-2" attributes="0"/>
</Group>
<Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<Component id="jLabel3" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" max="-2" attributes="0"/>
<Component id="jTextFieldCurrentValue" max="32767" attributes="0"/>
</Group>
<Group type="102" attributes="0">
<Component id="jButtonAddString" min="-2" pref="222" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="jLabel6" min="-2" max="-2" attributes="0"/>
<EmptySpace min="0" pref="0" max="32767" attributes="0"/>
</Group>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<Component id="jLabel4" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" max="-2" attributes="0"/>
<Component id="jTextFieldNewValue" max="32767" attributes="0"/>
</Group>
<Group type="102" attributes="0">
<EmptySpace min="0" pref="0" max="32767" attributes="0"/>
<Component id="jButtonAddXpath" min="-2" pref="198" max="-2" attributes="0"/>
</Group>
</Group>
</Group>
</Group>
<EmptySpace max="-2" attributes="0"/>
</Group>
Expand Down Expand Up @@ -89,7 +106,11 @@
</Group>
</Group>
<EmptySpace min="-2" max="-2" attributes="0"/>
<Component id="jButtonAdd" min="-2" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0">
<Component id="jButtonAddString" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="jButtonAddXpath" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="jLabel6" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace min="-2" max="-2" attributes="0"/>
<Component id="jLabel7" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" max="-2" attributes="0"/>
Expand Down Expand Up @@ -148,7 +169,7 @@
</Component>
<Component class="javax.swing.JLabel" name="jLabel3">
<Properties>
<Property name="text" type="java.lang.String" value="Current value:"/>
<Property name="text" type="java.lang.String" value="Search value:"/>
</Properties>
</Component>
<Component class="javax.swing.JLabel" name="jLabel4">
Expand All @@ -158,12 +179,12 @@
</Component>
<Component class="javax.swing.JTextField" name="jTextFieldNewValue">
</Component>
<Component class="javax.swing.JButton" name="jButtonAdd">
<Component class="javax.swing.JButton" name="jButtonAddString">
<Properties>
<Property name="text" type="java.lang.String" value="Add"/>
<Property name="text" type="java.lang.String" value="Add Search String"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="jButtonAddActionPerformed"/>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="jButtonAddStringActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JLabel" name="jLabel5">
Expand Down Expand Up @@ -212,5 +233,19 @@
<Property name="toolTipText" type="java.lang.String" value=""/>
</Properties>
</Component>
<Component class="javax.swing.JButton" name="jButtonAddXpath">
<Properties>
<Property name="text" type="java.lang.String" value="Add xPath"/>
<Property name="name" type="java.lang.String" value="" noResource="true"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="jButtonAddXpathActionPerformed"/>
</Events>
</Component>
<Component class="javax.swing.JLabel" name="jLabel6">
<Properties>
<Property name="text" type="java.lang.String" value="...or...."/>
</Properties>
</Component>
</SubComponents>
</Form>
108 changes: 88 additions & 20 deletions src/main/java/de/rub/nds/burp/espresso/gui/attacker/saml/xsw/UISigWrapAttackInit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ private void initComponents() {
jLabel3 = new javax.swing.JLabel();
jLabel4 = new javax.swing.JLabel();
jTextFieldNewValue = new javax.swing.JTextField();
jButtonAdd = new javax.swing.JButton();
jButtonAddString = new javax.swing.JButton();
jLabel5 = new javax.swing.JLabel();
jScrollPaneTable = new javax.swing.JScrollPane();
jSeparator3 = new javax.swing.JSeparator();
Expand All @@ -115,6 +115,8 @@ private void initComponents() {
jTextFieldCurrentValue = new javax.swing.JTextField();
jLabelNode = new javax.swing.JLabel();
jLabel7 = new javax.swing.JLabel();
jButtonAddXpath = new javax.swing.JButton();
jLabel6 = new javax.swing.JLabel();

jLabel1.setText("Message:");

Expand Down Expand Up @@ -144,14 +146,14 @@ public void actionPerformed(java.awt.event.ActionEvent evt) {
jLabelVectors.setForeground(new java.awt.Color(255, 0, 0));
jLabelVectors.setText("Minimum one textnode pair necessary!");

jLabel3.setText("Current value:");
jLabel3.setText("Search value:");

jLabel4.setText("New value:");

jButtonAdd.setText("Add");
jButtonAdd.addActionListener(new java.awt.event.ActionListener() {
jButtonAddString.setText("Add Search String");
jButtonAddString.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButtonAddActionPerformed(evt);
jButtonAddStringActionPerformed(evt);
}
});

Expand All @@ -171,6 +173,16 @@ public void actionPerformed(java.awt.event.ActionEvent evt) {
jLabel7.setText("Modifications Table:");
jLabel7.setToolTipText("");

jButtonAddXpath.setText("Add xPath");
jButtonAddXpath.setName(""); // NOI18N
jButtonAddXpath.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButtonAddXpathActionPerformed(evt);
}
});

jLabel6.setText("...or....");

javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this);
this.setLayout(layout);
layout.setHorizontalGroup(
Expand All @@ -179,16 +191,7 @@ public void actionPerformed(java.awt.event.ActionEvent evt) {
.addContainerGap()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(rTextScrollPane, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(jButtonAdd, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(jSeparator3, javax.swing.GroupLayout.Alignment.TRAILING)
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel3)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextFieldCurrentValue)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel4)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextFieldNewValue))
.addComponent(jSeparator4)
.addComponent(jScrollPaneTable)
.addGroup(layout.createSequentialGroup()
Expand All @@ -203,11 +206,31 @@ public void actionPerformed(java.awt.event.ActionEvent evt) {
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabelVectors))
.addComponent(jButtonReload))
.addGap(0, 171, Short.MAX_VALUE))
.addGap(0, 0, Short.MAX_VALUE))
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel1)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addComponent(jCheckBoxWrapLines)))
.addComponent(jCheckBoxWrapLines))
.addGroup(layout.createSequentialGroup()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel3)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextFieldCurrentValue))
.addGroup(layout.createSequentialGroup()
.addComponent(jButtonAddString, javax.swing.GroupLayout.PREFERRED_SIZE, 222, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel6)
.addGap(0, 0, Short.MAX_VALUE)))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel4)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextFieldNewValue))
.addGroup(layout.createSequentialGroup()
.addGap(0, 0, Short.MAX_VALUE)
.addComponent(jButtonAddXpath, javax.swing.GroupLayout.PREFERRED_SIZE, 198, javax.swing.GroupLayout.PREFERRED_SIZE)))))
.addContainerGap())
);
layout.setVerticalGroup(
Expand Down Expand Up @@ -235,7 +258,10 @@ public void actionPerformed(java.awt.event.ActionEvent evt) {
.addComponent(jTextFieldCurrentValue, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jTextFieldNewValue, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jButtonAdd)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jButtonAddString)
.addComponent(jButtonAddXpath)
.addComponent(jLabel6))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jLabel7)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
Expand Down Expand Up @@ -345,6 +371,7 @@ private void jButtonGenerateVectorsActionPerformed(java.awt.event.ActionEvent ev
jLabelVectors.setText("No signatures available!");
return;
}

// Repalce values
for (int i = 0; i < payloadList.size(); i++) {
Document payload = XMLHelper.stringToDom(payloadList.get(i).getValue());
Expand All @@ -354,11 +381,14 @@ private void jButtonGenerateVectorsActionPerformed(java.awt.event.ActionEvent ev
node.setTextContent(pair.getValue().toString());
} catch (XPathExpressionException ex) {
Logging.getInstance().log(getClass(), "Could not replace value.", Logging.ERROR);
} catch(Exception e) {
Logging.getInstance().log(getClass(), e.toString(), Logging.ERROR);
}
}
payloadList.get(i).setPayloadElement(payload.getDocumentElement());
}
// Init oracle

wrappingOracle = new WrappingOracle(doc, payloadList, samlSchemaAnalyser);
max = wrappingOracle.maxPossibilities();
jLabelVectors.setText(max + " possible vectors!");
Expand All @@ -376,7 +406,8 @@ private void jCheckBoxWrapLinesActionPerformed(java.awt.event.ActionEvent evt) {
}
}//GEN-LAST:event_jCheckBoxWrapLinesActionPerformed

private void jButtonAddActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButtonAddActionPerformed
private void jButtonAddStringActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButtonAddStringActionPerformed

ArrayList<String> xPaths = new ArrayList<>();
// Search only in signed elements
for (int i = 0; i < payloadList.size(); i++) {
Expand All @@ -387,6 +418,7 @@ private void jButtonAddActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
jLabelNode.setText(jTextFieldCurrentValue.getText() + " not found in the signed element!");
return;
}

for (int i = 0; i < xPaths.size(); i++) {
String selection = xPaths.get(i);
// Add pair
Expand All @@ -398,7 +430,41 @@ private void jButtonAddActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
jLabelNode.setText("New value for '" + jTextFieldCurrentValue.getText() + "' already added. Delete existing entry to replace it!");
}
}
}//GEN-LAST:event_jButtonAddActionPerformed

}//GEN-LAST:event_jButtonAddStringActionPerformed

private void jButtonAddXpathActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButtonAddXpathActionPerformed
ArrayList<String> matched = new ArrayList<>();

for (int i = 0; i < payloadList.size(); i++) {
Document payload = DomUtilities.createNewDomFromNode(payloadList.get(i).getSignedElement());
try {
Node node = DomUtilities.evaluateXPath(payload, jTextFieldCurrentValue.getText()).get(0);
matched.add(node.getTextContent());
} catch (XPathExpressionException ex) {
Logging.getInstance().log(getClass(), "Could not match xPath.", Logging.ERROR);
} catch (java.lang.IndexOutOfBoundsException ex) {
// no match on xpath
} catch(Exception e) {
Logging.getInstance().log(getClass(), e.toString(), Logging.ERROR);
}

}

// get the working xpath things from above
// add to table and valuestore
if (matched.size() > 0) {
for (int i = 0; i < matched.size(); i++) {
valuePairs.put(jTextFieldCurrentValue.getText(), jTextFieldNewValue.getText());
tableModel.addRow(new TableEntry(jTextFieldCurrentValue.getText(), matched.get(i), jTextFieldNewValue.getText()));
}
jTextFieldCurrentValue.setText("");
jTextFieldNewValue.setText("");
jLabelNode.setText("xPath matched! Added to replacement table!");
} else {
jLabelNode.setText("xPath not matched");
}
}//GEN-LAST:event_jButtonAddXpathActionPerformed

private void initSigManager() {
SignatureManager sigManager = new SignatureManager();
Expand Down Expand Up @@ -449,14 +515,16 @@ public void setSwitchTabFunc(Consumer<Integer> selectTab) {
}

// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton jButtonAdd;
private javax.swing.JButton jButtonAddString;
private javax.swing.JButton jButtonAddXpath;
private javax.swing.JButton jButtonGenerateVectors;
private javax.swing.JButton jButtonReload;
private javax.swing.JCheckBox jCheckBoxWrapLines;
private javax.swing.JLabel jLabel1;
private javax.swing.JLabel jLabel3;
private javax.swing.JLabel jLabel4;
private javax.swing.JLabel jLabel5;
private javax.swing.JLabel jLabel6;
private javax.swing.JLabel jLabel7;
private javax.swing.JLabel jLabelNode;
private javax.swing.JLabel jLabelVectors;
Expand Down
Loading

0 comments on commit 5988f0f

Please sign in to comment.