Message Editor UI improvements#101
Open
intrudir wants to merge 28 commits intoCompassSecurity:masterfrom
Open
Conversation
…oolchain, bump wrapper to Gradle 9.2.1
- Remove applyThemeToComponent() call that broke RSyntaxTextArea key input - Explicitly set editor as enabled and focusable - Remove redundant Parsed & Prettified panel from SAML Message Info tab
RSyntaxTextArea had key input issues inside Burp's Swing environment. Replaced with a thin wrapper around Burp's own RawEditor which handles theming, editability, and selection natively. Prettification is preserved.
Use plain JScrollPane instead of RTextScrollPane to avoid focus/input conflicts in Burp's Swing environment. Set thread context ClassLoader during construction so RSyntaxTextArea can load its internal resources through Burp's plugin ClassLoader. Theme colors applied manually to match Burp dark/light mode.
RSyntaxTextArea breaks keyboard input inside Burp's Swing environment. Replaced with a pure-Swing JTextPane + state-machine tokenizer that colors XML tags, attributes, values, comments, CDATA, and PIs. No external dependency — zero Swing/ClassLoader conflicts. - Debounced highlighting (150ms) for smooth typing - Dark/light theme support matching Burp - Horizontal scroll (no line wrapping) - Removed RSyntaxTextArea dependency from build
Type to search — all matches highlighted, auto-scrolls to first match. Enter = next match, Shift+Enter = previous, Escape = clear. Match counter shows current position (e.g. 3 / 12).
Flatten all attack categories into 4 rows instead of 5 titled sections. Replace verbose Help buttons with small '?' buttons. Combine CVE and XML attacks into one row. Reduce panel preferred height from 460px to 130px — gives much more room to the XML editor.
Increase vertical gap between rows (2px → 6px) and padding around edges. Rename 'Send Certificate to SAML Raider Certificates' → 'Store Certificate'.
Add bold section labels and horizontal separators between groups: Message | separator | XSW / CVE / XML | separator | Signing Split CVE and XML into separate rows for clarity. Move Store Certificate under Signing section where it belongs.
Replace plain text input with a dialog offering two options: - 'Use Burp Collaborator' checkbox (auto-generates payload via API) - 'OOB Domain' text field for custom domains (disabled when Collaborator is checked, enabled when unchecked) Collaborator is selected by default. Handles errors gracefully if Collaborator is not available. Used by both Test XXE and Test XSLT.
Check BurpSuiteEdition at runtime — if not Professional, the 'Use Burp Collaborator' checkbox is unchecked and disabled with a tooltip explaining why. OOB Domain field is enabled by default on Community so the user can enter a custom domain immediately.
- Previous/next match buttons (▲/▼) next to search field - Soft wrap checkbox (visual only, no text modification) - Wrap controls JTextPane viewport tracking, not document content
Adds 15 new static attack helpers covering signature bypass (HMAC confusion, dupe-key confusion, digest tamper), pre-auth SSRF/RCE (KeyInfo SSRF, SigRef SSRF, encryption SSRF, XSLT payloads), value injection (comment/PI injection, XSS, issuer confusion), assertion manipulation (validity extension, status override, audience removal), request-side attacks (ACS spoof, metadata import), and CVE-2024-45409 (ruby-saml prepend-unsigned-assertion). Each helper has a dedicated JUnit test. Includes ATTACKS.md playbook with step-by-step instructions and workflow cookbooks for common pentest scenarios. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
XSLTPayloadDialog lets the tester pick a payload flavor (Saxon SSRF, Xalan exec, Xalan class instantiation) and target URL or command, with optional Burp Collaborator URL generation on Pro. XSSPayloadDialog picks the target field and custom payload. MetadataImportDialog fetches metadata from a URL or accepts a paste, used to populate certs for cloning and dupe-key attacks. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SamlPanelAction replaces the flat wall-of-buttons layout with a JTabbedPane grouping attacks into seven focused tabs (Signatures, Injection, SSRF/RCE, Assertion, CVE, XSW, Request), with Message controls pinned at the top and the Signing row pinned at the bottom. SamlPanelInfo adds a Response Information section (Status, Destination, IssueInstant, InResponseTo) and expands Encryption Information with Key Transport algorithm and Key Identifier, so encrypted-assertion responses surface useful context without needing to decrypt. SamlXmlEditor adds syntax highlighting, live search, and soft-wrap. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds getResponseAttribute(), getStatusCode(), getKeyTransportAlgorithm(), and getEncryptionKeyIdentifier() to extract data from the outer Response element and EncryptedKey structure without needing to decrypt the assertion. Also adds getSubjectNameID() for extracting NameID from encrypted assertion contexts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SamlTabController adds handler methods for all 15 new attack helpers, wires them to the new UI actions, and tracks signature staleness: after any mutation the panel shows a warning indicating the signature is stale so the tester knows whether to re-sign or forward as-is. The info panel is updated to populate the new Response Information and Encryption metadata fields. CVE-2024-45409 is added to the CVE dropdown. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SamlMessageDecoder: fix Illegal base64 character 0x20 caused by URL decoding converting '+' to spaces in POST bodies; strip Hackvertor tags (<@tag>...</@tag>) before decoding so the tab survives requests wrapped in any Hackvertor transform. SamlMessageAnalyzer: add extractParameterValue() which falls back to a raw-body scan with Hackvertor stripping when Burp's URL param parser returns null (literal '<' in body breaks standard parsing). Wrap the decode step in analyze() so decode failures never hide the tab. Use extractParameterValue() in setRequestResponse() to prevent NPE when parameterValue() returns null. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi, I hit it with Claude Code for some UI improvements! So far I have just updated the message editor tab. Updates are below. More to come soon as i test and play around with some targets
UI Modernization & Build Improvements
Build System
org.gradle.java.homepin; builds now work on any OS without path editsSAML Message Editor
Attack Panel
?icons1 / 12)Cleanup