Direkt zum Hauptbereich

EsPReSSO - A good morning starts with coffee!

In this posts I describe the tool, I wrote for my Bachelor thesis at the Chair for Network and Data Security, with support of Context Information Security Ltd.. EsPReSSO is a apronym for "Extension for Recognition and Processing of Single Sing on Protocols". The basic idea behind EsPReSSO is to automate standard tasks to detect and classify the Single Sign-On (SSO) Protocols OpenID, BrowserID, SAML, OAuth, OpenID-Connect, Facebook Connect and Microsoft Account. The tool is integrate with PortSwigger's HTTP Proxy, Burp Suite. Furthermore EsPReSSO integrates the WS-Attacker, to attack SAML services semi-automated or manually.

EsPReSSO consist of two core components, the Scanner and the Attacker.

EsPReSSO Scanner


The SSO authentication process consists of a complex sequence of HTTP messages with different GET and POST parameters. During the analysis of the HTTP traffic of modern browsers important SSO messages are mixed with countless irrelevant messages like, advertisement messages or AJAX requests from other open tabs. In order to identify SSO messages we have to distinguish, at first, between OAuth based protocols, like OpenID Connect, Microsoft Account and Facebook Connect, and not OAuth based protocols like SAML, OpenID and BrowserID.
The latter of these protocols appeared to be easy to classify, due to their unique parameters. In contrary, the detection OAuth-Family protocols was not trivial. The similarities between the protocol flows made it hard to identify every protocol properly.
To simplify this analysis, EsPReSSO attempts to analyse and highlight SSO request send by the browser. The results can be reviewed in an extra history designed for SSO protocols as well as Burp Suite's built-in HTTP proxy history. To evaluate the single SSO messages better, EsPReSSO integrates a SAML, JSON and JWT (JSON Web Token) editor.

EsPReSSO Attacker


Together with the SAML editor EsPReSSO integrates the famous WS-Attacker, of the Chair for Network and Data Security, to manipulate request during the interception with Burp Suite. At the moment two attacks are implemented, XML Signature Wrapping and XML Signature Faking. With the first kind, it is possible to choose from over 200 different attack vectors. These attack vectors are automatically retrieved from a predefined setup. The user can choose and fine tune all of them before the modification is applied to the original message.
With the Signature Faking attack, a new signature will be computed for the given assertion.


EsPReSSO is based on Christian Mainka's 'BurpSSOExtension' and replaces it in its repository. Fork the project on GitHub and help us to develop an awesome tool.
Or use our Extension with Burps BApp Store.

Authors of this Post

This post was written by Tim Guenther and reviewed by Christian Mainka and Vladislav Mladenov.
Tim's Bachelor Thesis can be found at https://www.nds.rub.de/teaching/theses/espresso-ba/

Beliebte Posts aus diesem Blog

Printer Security

Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medical, or education institution.
From a security point of view, these machines are quite interesting since they are located in internal networks and have direct access to sensitive information like confidential reports, contracts or patient recipes.

TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of these is vulnerable to multiple attacks. We release an open-source tool that supported our analysis: PRinter Exploitation Toolkit (PRET) https://github.com/RUB-NDS/PRET Full results are available in the master thesis of Jens Müller and our paper. Furthermore, we have set up a wiki (http://hacking-printers.net/) to share knowledge on printer (in)security.
The hi…

How to Break Microsoft Rights Management Services

In this post, we provide a security analysis of Microsoft Rights Management Services (RMS) and present two working attacks:  We completely remove the RMS protection of a Word document on which we only have a view-only permission, without having the right to edit it. This shows that in contrast to claims made by Microsoft, Microsoft RMS can only be used to enforce all-or-nothing access. We extend this attack to be stealthy in the following sense: We show how to modify the content of an RMS write-protected Word document issued by our victim. The resulting document still claims to be write protected, and that the modified content was generated by the victim This work is going to be presented at WOOT'16.