The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

SAML - Shib Workflow

Stefan | Last updated: Feb 23, 2022 03:19PM UTC

Hi! I would like to use intruder to perform a brute force password attack on an Shibboleth IDP. But the problem I have is that they have strict workflow in order to allow that, which I am not able to reconstruct using macros. It is always a GET followed by a POST (followed by a GET if unsuccessful). The GET obtains an CSRF token as well as sets the current state via an URL parameter (execution=e1sX). Then usually the user provides credentials and presses submit. Then POST request sends the CSRF token along as well as the current state (e.g. e1s2). The response contains the next state variable (which usually is just the next number e.g. e1s3). I am stuck on how to automate this using macros. Because I need to send the GET in order to obtain the CSRF token. But if the GET request doesn't have the current state as parameter the whole flow breaks. Thus I would need to extract from the last existing POST the state and use it in the macro as input for the GET. GET /idp/profile/SAML2/POST/SSO?execution=e1s3 RESP HTML body: csrf_token POST /idp/profile/SAML2/POST/SSO?execution=e1s3 Body: {csrf_token} RESP HEADER Location: /idp/profile/SAML2/POST/SSO?execution={next_state} GET /idp/profile/SAML2/POST/SSO?execution={next_state, e.g. e1s4} I am not sure hot to do this other than writing an actual script in Go or Python. Is there a way to do this with Burp? Best, Stefan

Liam, PortSwigger Agent | Last updated: Feb 24, 2022 07:15AM UTC