Merge pull request #89 from d0ge/libxml2

CVE-2025-23369

Author: tobiashort

BappManifest.bmf

@@ -2,12 +2,12 @@ Uuid: c61cfa893bb14db4b01775554f7b802e
 ExtensionType: 1
 Name: SAML Raider
 RepoName: saml-raider
-ScreenVersion: 2.2.1
-SerialVersion: 20
+ScreenVersion: 2.3.0
+SerialVersion: 21
 MinPlatformVersion: 0
 ProOnly: False
 Author: Roland Bischofberger / Emanuel Duss / Tobias Hort-Giess
 ShortDescription: Provides a SAML message editor and a certificate management tool to help with testing SAML infrastructures.
-EntryPoint: build/libs/saml-raider-2.2.1.jar
+EntryPoint: build/libs/saml-raider-2.3.0.jar
 BuildCommand: ./gradlew jar
 SupportedProducts: Pro, Community

README.md

@@ -79,7 +79,7 @@ Don't forget to rate our extension with as many stars you like :smile:.
 ### Manual Installation
 
 First, download the latest SAML Raider version:
-[saml-raider-2.2.1.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.2.1/saml-raider-2.2.1.jar).
+[saml-raider-2.3.0.jar](https://github.com/SAMLRaider/SAMLRaider/releases/download/v2.3.0/saml-raider-2.3.0.jar).
 Then, start Burp Suite and click in the `Extensions` tab on `Add`. Choose the
 SAML Raider JAR file to install it and you are ready to go.
 

build.gradle

@@ -2,7 +2,7 @@ plugins {
 	id "java-library"
 }
 
-version = "2.2.1"
+version = "2.3.0"
 
 repositories {
 	mavenCentral()

src/main/java/application/SamlTabController.java

@@ -10,20 +10,17 @@
 import burp.api.montoya.ui.Selection;
 import burp.api.montoya.ui.editor.RawEditor;
 import burp.api.montoya.ui.editor.extension.ExtensionProvidedHttpRequestEditor;
+import gui.CVEHelpWindow;
 import gui.SamlMain;
 import gui.SamlPanelInfo;
 import gui.SignatureHelpWindow;
 import gui.XSWHelpWindow;
+import helpers.CVE_2025_23369;
 import helpers.XMLHelpers;
 import helpers.XSWHelpers;
-import model.BurpCertificate;
-import org.w3c.dom.*;
-import org.xml.sax.SAXException;
-
-import javax.xml.crypto.MarshalException;
-import javax.xml.crypto.dsig.XMLSignatureException;
-import javax.xml.parsers.ParserConfigurationException;
-import java.awt.*;
+import java.awt.Component;
+import java.awt.Desktop;
+import java.awt.Toolkit;
 import java.awt.datatransfer.Clipboard;
 import java.awt.datatransfer.StringSelection;
 import java.io.File;
@@ -41,6 +38,16 @@
 import java.util.List;
 import java.util.Observable;
 import java.util.Observer;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.parsers.ParserConfigurationException;
+import model.BurpCertificate;
+import org.w3c.dom.DOMException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
 
 import static java.util.Objects.requireNonNull;
 
@@ -473,6 +480,22 @@ public void showXSWPreview() {
         }
     }
 
+    public void applyCVE() {
+        try {
+            var cve = samlGUI.getActionPanel().getSelectedCVE();
+            switch (cve) {
+                case CVE_2025_23369.CVE:
+                    samlMessage = CVE_2025_23369.apply(orgSAMLMessage);
+                    textArea.setContents(ByteArray.byteArray(samlMessage));
+                    isEdited = true;
+                    setInfoMessageText("%s applied".formatted(cve));
+            }
+        } catch (Exception exc) {
+            setInfoMessageText(exc.getMessage());
+            BurpExtender.api.logging().logToError(exc);
+        }
+    }
+
     public void applyXSW() {
         Document document;
         try {
@@ -562,6 +585,13 @@ public void setGUIEditable(boolean editable) {
         }
     }
 
+    public void showCVEHelp() {
+        var cve = samlGUI.getActionPanel().getSelectedCVE();
+        var window = new CVEHelpWindow(cve);
+        window.setLocationRelativeTo(BurpExtender.api.userInterface().swingUtils().suiteFrame());
+        window.setVisible(true);
+    }
+
     public void showSignatureHelp() {
         var window = new SignatureHelpWindow();
         window.setLocationRelativeTo(BurpExtender.api.userInterface().swingUtils().suiteFrame());

src/main/java/gui/CVEHelpWindow.java

@@ -0,0 +1,60 @@
+package gui;
+
+import helpers.CVE_2025_23369;
+import java.awt.BorderLayout;
+import java.io.Serial;
+import javax.swing.JFrame;
+import javax.swing.JScrollPane;
+import javax.swing.JTextPane;
+
+public class CVEHelpWindow extends JFrame {
+
+    @Serial
+    private static final long serialVersionUID = 1L;
+
+    public CVEHelpWindow(String cve) {
+        String description;
+        if (cve.equals(CVE_2025_23369.CVE)) {
+            description = """
+                   <ol>
+                       <li>
+                           You need a SAMLResponse with Signed Message & Assertion that is valid and accepted by the server.
+                       </li>
+                       <li>
+                           Apply the CVE to the SAMLResponse without any prior changes. See whether the
+                           SAMLResponse is still accepted. If so, this is an indicator that the server is
+                           vulnerable.
+                       </li>
+                       <li>
+                           After the CVE has been applied you can try to change one of the fake assertions attribute
+                           to bypass authentication. The fake assertion ID is constructed by appending "ffff" 
+                           to the original assertion ID. This modified assertion can be found at the end of the XML document.
+                       </li>
+                   </ol>
+                   """;
+        } else {
+            description = "no description";
+        }
+
+        var text = """
+                <h1>%s</h1>
+                %s
+                """;
+
+        text = text.formatted(cve, description);
+
+        var textPane = new JTextPane();
+        textPane.setContentType("text/html");
+        textPane.setEditable(false);
+        textPane.setCaret(null);
+        textPane.setText(text);
+
+        var scrollPane = new JScrollPane(textPane);
+
+        setTitle(cve + " Help");
+        setSize(1200, 720);
+        setDefaultCloseOperation(JFrame.DISPOSE_ON_CLOSE);
+        setLayout(new BorderLayout());
+        add(scrollPane, BorderLayout.CENTER);
+    }
+}

src/main/java/gui/SamlPanelAction.java

@@ -1,6 +1,7 @@
 package gui;
 
 import application.SamlTabController;
+import helpers.CVE_2025_23369;
 import java.awt.BorderLayout;
 import java.awt.Component;
 import java.awt.GridBagConstraints;
@@ -11,7 +12,16 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Optional;
-import javax.swing.*;
+import javax.swing.BorderFactory;
+import javax.swing.DefaultComboBoxModel;
+import javax.swing.JButton;
+import javax.swing.JComboBox;
+import javax.swing.JLabel;
+import javax.swing.JOptionPane;
+import javax.swing.JPanel;
+import javax.swing.JScrollPane;
+import javax.swing.JTextField;
+import javax.swing.SwingUtilities;
 import javax.swing.border.EmptyBorder;
 import model.BurpCertificate;
 import net.miginfocom.swing.MigLayout;
@@ -34,6 +44,10 @@ public class SamlPanelAction extends JPanel {
     private final JButton btnTestXXE = new JButton("Test XXE");
     private final JButton btnTestXSLT = new JButton("Test XSLT");
 
+    private final JComboBox<String> cmbboxCVE = new JComboBox<>();
+    private final JButton btnCVEApply = new JButton("Apply CVE");
+    private final JButton btnCVEHelp = new JButton("Help");
+
     private final JButton btnSignatureHelp = new JButton("Help");
     private final JComboBox<BurpCertificate> cmbboxCertificate = new JComboBox<>();
     private final JButton btnSignatureRemove = new JButton("Remove Signatures");
@@ -92,6 +106,21 @@ private void initialize() {
         xmlAttacksPanel.add(btnTestXXE, "split 2");
         xmlAttacksPanel.add(btnTestXSLT, "wrap");
 
+        cmbboxCVE.setModel(new DefaultComboBoxModel<>(new String[]{
+                CVE_2025_23369.CVE
+        }));
+
+        btnCVEApply.addActionListener(event -> controller.applyCVE());
+
+        btnCVEHelp.addActionListener(event -> controller.showCVEHelp());
+
+        var cvePanel = new JPanel();
+        cvePanel.setBorder(BorderFactory.createTitledBorder("CVEs"));
+        cvePanel.setLayout(new MigLayout());
+        cvePanel.add(cmbboxCVE);
+        cvePanel.add(btnCVEApply);
+        cvePanel.add(btnCVEHelp, "wrap");
+
         btnSignatureHelp.addActionListener(event -> controller.showSignatureHelp());
 
         btnSignatureRemove.addActionListener(event -> controller.removeSignature());
@@ -117,6 +146,7 @@ private void initialize() {
         actionPanels.setLayout(new MigLayout());
         actionPanels.add(samlMessagePanel, actionPanelConstraints);
         actionPanels.add(xswAttacksPanel, actionPanelConstraints);
+        actionPanels.add(cvePanel, actionPanelConstraints);
         actionPanels.add(xmlAttacksPanel, actionPanelConstraints);
         actionPanels.add(signatureAttacksPanel, actionPanelConstraints);
 
@@ -149,6 +179,10 @@ public String getSelectedXSW() {
         return (String) cmbboxXSW.getSelectedItem();
     }
 
+    public String getSelectedCVE() {
+        return (String) cmbboxCVE.getSelectedItem();
+    }
+
     public void disableControls() {
         cmbboxCertificate.setEnabled(false);
         cmbboxXSW.setEnabled(false);
@@ -164,6 +198,8 @@ public void disableControls() {
         btnMatchAndReplace.setEnabled(false);
         btnTestXXE.setEnabled(false);
         btnTestXSLT.setEnabled(false);
+        cmbboxCVE.setEnabled(false);
+        btnCVEApply.setEnabled(false);
         this.revalidate();
     }
 
@@ -182,6 +218,8 @@ public void enableControls() {
         btnMatchAndReplace.setEnabled(true);
         btnTestXXE.setEnabled(true);
         btnTestXSLT.setEnabled(true);
+        cmbboxCVE.setEnabled(true);
+        btnCVEApply.setEnabled(true);
         this.revalidate();
     }