Testing SAML Endpoints For XML Signature Wrapping Vulnerabilities

A lot can go wrong when validating SAML messages. When auditing SAML endpoints, it's important to look out for vulnerabilities in the signature validation logic. XML Signature Wrapping (XSW) against SAML is an attack where manipulated SAML message is submitted in an attempt to make the endpoint validate the signed parts of the message -- which were correctly validated -- while processing a different attacker-generated part of the message as a way to extract the authentication statements. Because the attacker can arbitrarily forge SAML assertions which are accepted as valid by the vulnerable endpoint, the impact can be severe. [1,2,3]

Testing for XSW vulnerabilities in SAML endpoints can be a tedious process, as the auditor needs to not only know the details of the various XSW techniques, but also must handle a multitude of repetitive copy-and-paste tasks and apply the appropriate encoding onto each message. The latest revision of the XSW-Attacker module in our BurpSuite extension EsPReSSo helps to make this testing process easier, and even comes with a semi-automated mode. Read on to learn more about the new release! 

 SAML XSW-Attacker

After a signed SAML message has been intercepted using the Burp Proxy and shown in EsPReSSO, you can open the XSW-Attacker by navigating to the SAML tab and then the Attacker tab.  Select Signature Wrapping from the drop down menu, as shown in the screenshot below:

To simplify its use, the XSW-Attacker performs the attack in a two step process of initialization and execution, as reflected by its two tabs Init Attack and Execute Attack. The interface of the XSW-Attacker is depicted below.

XSW-Attacker overview

The Init Attack tab displays the current SAML message. To execute a signature wrapping attack, a payload needs to be configured in a way that values of the originally signed message are replaced with values of the attacker's choice. To do this, enter the value of a text-node you wish to replace in the Current value text-field. Insert the replacement value in the text-field labeled New value and click the Add button. Multiple values can be provided; however, all of which must be child nodes of the signed element. Valid substitution pairs and the corresponding XPath selectors are displayed in the Modifications Table. To delete an entry from the table, select the entry and press `Del`, or use the right-click menu.

Next, click the Generate vectors button - this will prepare the payloads accordingly and brings the Execute Attack tab to the front of the screen.

At the top of the Execute Attack tab, select one of the pre-generated payloads. The structure of the selected vector is explained in a shorthand syntax in the text area below the selector.
The text-area labeled Attack vector is editable and can be used to manually fine-tune the chosen payload if necessary. The button Pretty print opens up a syntax-highlighted overview of the current vector.
To submit the manipulated SAML response, use Burp's Forward button (or Go, while in the Repeater).

Automating XSW-Attacker with Burp Intruder

Burp's Intruder tool allows the sending of automated requests with varying payloads to a test target and analyzes the responses. EsPReSSO now includes a Payload Generator called XSW Payloads to facilitate when testing the XML processing endpoints for XSW vulnerabilities. The following paragraphs explain how to use the automated XSW attacker with a SAML response.

First, open an intercepted request in Burp's Intruder (e.g., by pressing `Ctrl+i`). For the attack type, select Sniper. Open the Intruder's Positions tab, clear all payload positions but the value of the XML message (the `SAMLResponse` parameter, in our example). Note: the XSW-Attacker can only handle XML messages that contain exactly one XML Signature.
Next, switch to the Payloads tab and for the Payload Type, select Extension-generated. From the newly added Select generator drop-down menu, choose XSW Payloads, as depicted in the screenshot below.

While still in the Payloads tab, disable the URL-encoding checkbox in the Payload Encoding section, since Burp Intruder deals with the encoding automatically and should suffice for most cases.
Click the Start Attack button and a new window will pop up. This window is shown below and is similar to the XSW Attacker's Init Attack tab.

Configure the payload as explained in the section above. In addition, a schema analyzer can be selected and checkboxes at the bottom of the window allow the tester to choose a specific encoding. However, for most cases the detected presets should be correct.

Click the Start Attack button and the Intruder will start sending each of the pre-generated vectors to the configured endpoint. Note that this may result in a huge number of outgoing requests. To make it easier to recognize the successful Signature Wrapping attacks, it is recommended to use the Intruder's Grep-Match functionality. As an example, consider adding the replacement values from the Modifications Table as a Grep-Match rule in the Intruder's Options tab. By doing so, a successful attack vector will be marked with a checkmark in the results table, if the response includes any of the configure grep rules.

Credits

EsPReSSO's XSW Attacker is based on the WS-Attacker [4] library by Christian Mainka and the original adoption for EsPReSSO has been implemented by Tim Günther.
Our students Nurullah Erinola, Nils Engelberts and David Herring did a great job improving the execution of XSW and implementing a much better UI.

---

[1] On Breaking SAML - Be Whoever You Want to Be
[2] Your Software at My Service
[3] Se­cu­ri­ty Ana­ly­sis of XAdES Va­li­da­ti­on in the CEF Di­gi­tal Si­gna­tu­re Ser­vices (DSS)
[4] WS-Attacker

Related articles

• Ingeniería Social El Arte Del Hacking Personal
• Hacking Linux Distro
• Hacking Con Buscadores
• Diferencia Entre Hacker Y Cracker

Lulzbuster - A Very Fast And Smart Web Directory And File Enumeration Tool Written In C

Lulzbuster is a very fast and smart web directory and file enumeration tool written in C.

Usage

$ lulzbuster -H
    __      __      __               __
   / /_  __/ /___  / /_  __  _______/ /____  _____
  / / / / / /_  / / __ \/ / / / ___/ __/ _ \/ ___/
 / / /_/ / / / /_/ /_/ / /_/ (__  ) /_/  __/ /
/_/\__,_/_/ /___/_.___/\__,_/____/\__/\___/_/

        --==[ by nullsecurity.net ] ==--

usage

  lulzbuster -s <arg> [opts] | <misc>

target options

  -s <url>       - start url to begin scan with

http options

  -h <type>      - http request type (default: GET) - ? to list types
  -x <code>      - exclude http status codes (default: 400,404,500,501,502,503
                   multi codes separated by ',')
  -f             - follow http redirects. hint: better try appending a '/'
                   with '-A' option first instead of using '-f'
  -F <num>       - num level to follow http redirects (default: 0)
  -u <str>       - use   r-agent string (default: built-in windows firefox)
  -U             - use random built-in user-agents
  -c <str>       - pass custom header(s) (e.g. 'Cookie: foo=bar; lol=lulz')
  -a <creds>     - http auth credentials (format: <user>:<pass>)
  -r             - turn on auto update referrer
  -j <num>       - define http version (default: curl's default) - ? to list

timeout options

  -D <num>       - num seconds for delay between requests (default: 0)
  -C <num>       - num seconds for connect timeout (default: 10)
  -R <num>       - num seconds for request timeout (default: 30)
  -T <num>       - num seconds to give up and exit lulzbuster completely
                   (default: none)

tuning options

  -t <num>       - num threads for concurrent scanning (default: 30)
  -g <num>       - num connection cache size for curl (default: 30)
                   note: this value should always equal to -t's value

other options

  -w <file>      - wordlist file
                   (default: /usr/local/share/lulzbuster/lists/medium.txt)
  -A <str>       - append any words separated by comma (e.g. '/,.php,~bak)
  -p <addr>      - proxy address (format: <scheme>://<host>:<port>) - ? to
                   list supported schemes
  -P <creds>     - proxy auth credentials (format: <user>:<pass>)
  -i             - insecure mode (skips ssl/tls cert verification)
  -S             - smart mode aka eliminate false-positives, more infos,
                   et   c. (use this if speed is not your 1st priority!)
  -n <str>       - nameservers (default: '1.1.1.1,8.8.8.8,208.67.222.222'
                   multi separated by '.')
  -l <file>      - log found paths and valid urls to file

misc

  -X             - print built-in user-agents
  -V             - print version of lulzbuster and exit
  -H             - print this help and exit

Author
noptrix

Notes

• clean code; real project
• lulzbuster is already packaged and available for BlackArch Linux
• My master-branches are always stable; dev-branches are created for current work.
• All of my public stuff you find are officially announced and published via nullsecurity.net.

Disclaimer
We hereby emphasize, that the hacking related stuff found on nullsecurity.net are only for education purposes. We are not responsible for any damages. You are responsible for your own actions.

Download Lulzbuster

via KitPloit

This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com

More articles

1. Mindset Hacking Nacho
2. Sean Ellis Hacking Growth
3. Herramientas Hacking
4. Hacking Linux
5. Hacking Curso
6. Python Desde 0 Hasta Hacking - Máster En Hacking Con Python

How To Change Facebook’s Default Theme To Any Color You Want

How To Change Facebook's Default Theme To Any Color You Want

We are going to share an interesting trick on changing your Facebook default theme. You just need a Google Chrome extension to perform this trick. If you are among me who feels very fatigued with the look of Facebook's by default theme then this is a must-see post because you will find out the easiest trick to make your facebook more attractive than before.

Facebook is a social networking site which empowers people to connect with friends and people around. That's how Facebook is habitually introduced. However, Facebook is beyond the need of being introduced as almost everyone is on it.

   A couple of Days ago I was simply Surfing Google Chrome website and I somehow stumbled upon a Chrome Extension. Yes, a Chrome extension that will give your Facebook a Whole new look. I was apprehensive to try it, So I just installed it and checked my facebook. I was astonished to see my facebook homepage have all new look. I found it refreshing and decided to write steps on How to Change Facebook Themes using Chrome Extension.

How To Change Facebook's Default Theme To Any Color You Want

If You are among me who feels very fatigued with the look of Facebook's by default theme then this is a must-see post, Because you will find out the easiest trick to make your facebook more attractive than before. Simply follow the steps to know about it.

How to Change Facebook Theme Using Chrome Extension

Step 1. Install Stylish for Chrome from the Chrome Web Store. It will take hardly a minute to get installed in your Chrome browser.

Change Facebook Theme Using Chrome Extension

Step 2. Navigate to Facebook.com and click on the S button. Click on Find Styles for this Site to open a new tab with free themes to use for Facebook. Most of the themes are free and attractive too you can easily browse over the full website to discover your favorite theme.

Change Facebook Theme Using Chrome Extension

Step 3. Now You will be redirected towards https://userstyles.org Guess what! This site contains huge numbers of Facebook themes, One thing is for sure that you will be confused in-between what to select and which one to skip. Select any them and click on it. Now you will be given a full preview of your selected theme.

Change Facebook Theme Using Chrome Extension

Step 4. If everything is fine in the previewed theme, click on Install with Stylish button at the top right corner of the page. It will take few seconds or minutes depends on your theme size to be installed in Stylish Extension, once installed you will be notified with a success message.

Change Facebook Theme Using Chrome Extension

Step 5. Now whenever you open Facebook, it will show the theme that you have installed with Stylish instead of the boring old blue theme.

Change Facebook Theme Using Chrome Extension

Related news

1. Hacking Ético
2. Kali Hacking
3. Hacking Wireless 101 Pdf
4. Que Es Un Hacker
5. Phone Hacking
6. Como Hackear
7. Hacking Course
8. Reddit Hacking
9. Como Aprender A Hackear Desde Cero

Top 5 Best TV Series Based On Hacking & Technology 2018

Top 5 Best TV Series Based On Hacking & Technology 2018

Top 5 Best TV Series Based On Hacking And Technology 2018

Well, if you are a tech fanatic then you will love watching TV shows which are based on hacking and technology. If you are a tech geek, then you will know that hacking stuff in movies/serials always generates glamor and mystery and adds that special oomph factor to the movie or Tv SHOW.

However, there are not much movies/ or TV serials made on hacking and technology. Technology is rapidly becoming the key point in human lives. The previous year we have seen how hackers had made their marks on giant companies. So, in this article, we are going to discuss top TV shows which have to hack as the central theme. So, have a look at the list.

#1 Mr. Robot

Mr. Robot: Best TV Series Based On Hacking & Technology 2018

Well, the reason why I listed Mr. Robot on the top is because this show has millions of followers and this is the first show that portrays an elite hacker. The elite hacker group uses computers, smartphones and many other technologies to penetrate secure network to take down evil corporation while being anonymous. The show displays the life of a young programmer named Elliot who works as a cyber-security engineer and a vigilante hacker by night.

#2 Silicon Valley

Silicon Valley

This TV series displays the tech and hacking with a bit of comic touch. The series shows the competition between techies in the high-tech gold rush of modern Silicon Valley. What's more interesting is the people who are more qualified are least successful whereas underdogs are making it big. This show is running successfully for three years now.

Read more;- How To Hack Any Game On Your Android Smartphones

#3 The IT Crowd

The IT Crowd

The IT Crowd is very popular series and is running successfully for eight years from 2006 to 2013. It is not like Mr.Robot it has its moments of hacks. The series shows the comedic adventures of a rag-tag group of technical support workers at a large corporation.

#4 Person Of Interest

Person Of Interest

It is one of the best TV series made till now. You will get to see the humor, twists, and lots of other things. In this show and intelligent programmer built and AI (Artificial intelligence) that helps to stop the crimes in the city. The show will definitely give you chills.

Read more;- Top 5 Free Online Courses To Learn Artificial Intelligence

#5 Chuck

Chuck: Best TV Series Based On Hacking & Technology 2018

The TV series was somehow popular and ran from 2007 to 2013. The show shows the character of a young hacker and nerd who accidentally downloads US Govt, secrets into his brain and there is where the story starts CIA and NSA agents protect him and at the same time exploit him.

More articles

1. Mindset Hacking Español
2. Experto En Seguridad Informática
3. Car Hacking
4. Ingeniería Social El Arte Del Hacking Personal
5. Curso De Hacking
6. Growth Hacking Marketing
7. Windows Hacking
8. Hacker En Español
9. Life Hacking
10. Hacking With Swift
11. Google Hacking Search

How To Start PHP And MYSQL | The Best Server For PHP And MYSQL | Tutorial 1

Many of people want to start PHP programming embedded with MYSQL databases concepts. So i thought that I should start a series about PHP and MYSQL. So in this series of video tutorials you exactly got the content about PHP and MYSQL.

As PHP is server side scripting language. So it requires a server to get execute over the web browser. First of all you have to download and install a server that may be XAMPP, WAMPP or LAMPP. I'm using XAMPP server in the tutorials. So if you wanna follow me then download a XAMPP server. I'm using this because it has a good interface to work  and it's really simple. XAMPP is compatible with windows, MAC and Linux operating as well. WAMPP is only for windows and LAMPP is used for MAC and Linux operating system. So i prefer XAMPP for this series.

How to create Database

Step 1:

Open Your XAMPP control panel and start Apache and Mysql services.

Step 2:

Go to your Web browser and type "localhost/phpmyadmin". It will open your databases area. If you have an error then your services are not in running state. If you have any error then comment below.

Step 3:

Click over the "new" to create a new database.

Step 4:

Write Database_Name and click over the Create button. For example Facebook, Students etc.

Step 5:

Write Table_Name like admin, users etc. your can increase and decrease the size of rows. Click over Save/Create button.

Step 6:

Write your Attribute_Names in first column like Username, Email, Passwords etc. In the next data type column you have to select the data type whether it is integer or string type etc. In the next column you have to set the length of string/words.

Step 7:

If you wanna go through with a Primary_Key. Then just you have to checked the Auto_Increment box as you will shown in the video. For further watch the video for better understanding.