Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

SAML - Shib Workflow

Stefan | Last updated: Feb 23, 2022 03:19PM UTC

Hi! I would like to use intruder to perform a brute force password attack on an Shibboleth IDP. But the problem I have is that they have strict workflow in order to allow that, which I am not able to reconstruct using macros. It is always a GET followed by a POST (followed by a GET if unsuccessful). The GET obtains an CSRF token as well as sets the current state via an URL parameter (execution=e1sX). Then usually the user provides credentials and presses submit. Then POST request sends the CSRF token along as well as the current state (e.g. e1s2). The response contains the next state variable (which usually is just the next number e.g. e1s3). I am stuck on how to automate this using macros. Because I need to send the GET in order to obtain the CSRF token. But if the GET request doesn't have the current state as parameter the whole flow breaks. Thus I would need to extract from the last existing POST the state and use it in the macro as input for the GET. GET /idp/profile/SAML2/POST/SSO?execution=e1s3 RESP HTML body: csrf_token POST /idp/profile/SAML2/POST/SSO?execution=e1s3 Body: {csrf_token} RESP HEADER Location: /idp/profile/SAML2/POST/SSO?execution={next_state} GET /idp/profile/SAML2/POST/SSO?execution={next_state, e.g. e1s4} I am not sure hot to do this other than writing an actual script in Go or Python. Is there a way to do this with Burp? Best, Stefan

Liam, PortSwigger Agent | Last updated: Feb 24, 2022 07:15AM UTC

Have you checked out Turbo Intruder? Attacks are configured using Python. This enables the handling of complex requirements such as signed requests and multi-step attack sequences.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.