CompassSecurity · intrudir · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/README.md b/README.md
@@ -27,6 +27,8 @@ Features of the SAML Raider message editor:
 * Supported Profiles: SAML Webbrowser Single Sign-on Profile, Web Services
   Security SAML Token Profile
 * Supported Bindings: POST Binding, Redirect Binding, SOAP Binding, URI Binding
+* XML is pretty printed, syntax highlighted and editable live
+* Search field at the bottom to auto scroll & highlight searched text
 
 SAML Attacks:
 

diff --git a/build.gradle b/build.gradle
@@ -8,9 +8,11 @@ repositories {
 	mavenCentral()
 }
 
-compileJava {
-	targetCompatibility "21"
-	sourceCompatibility "21"
+// Build/compile against Java 21 regardless of system default Java
+java {
+	toolchain {
+		languageVersion = JavaLanguageVersion.of(21)
+	}
 }
 
 dependencies {
@@ -28,9 +30,10 @@ dependencies {
 	testImplementation libs.net.portswigger.burp.extensions.montoya.api
 	testImplementation libs.org.bouncycastle.bcpkix.jdk15on
 	testImplementation libs.org.junit.jupiter
+	testRuntimeOnly libs.org.junit.platform.launcher
 }
 
-compileJava {
+tasks.withType(JavaCompile).configureEach {
 	options.compilerArgs << "-Xlint:deprecation"
 }
 

diff --git a/doc/PLAYBOOK.md b/doc/PLAYBOOK.md
diff --git a/doc/saml_attacks.png b/doc/saml_attacks.png
diff --git a/doc/saml_info.png b/doc/saml_info.png
diff --git a/gradle.properties b/gradle.properties
@@ -0,0 +1,6 @@
+# Keep builds cross-platform.
+# This project uses Gradle toolchains (see build.gradle) to compile with Java 21.
+# Do NOT hard-pin org.gradle.java.home to a machine-specific path.
+
+# If a matching JDK isn't installed locally, allow Gradle to auto-provision one.
+org.gradle.java.installations.auto-download=true
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -7,6 +7,7 @@ net-portswigger-burp-extensions-montoya-api = "2024.7"
 org-apache-santuario-xmlsec = "2.1.7"
 org-bouncycastle-bcpkix-jdk15on = "1.52"
 org-junit-jupiter = "5.10.2"
+org-junit-platform-launcher = "1.10.2"
 xerces-xercesimpl = "2.12.2"
 
 [libraries]
@@ -18,4 +19,5 @@ net-portswigger-burp-extensions-montoya-api = { module = "net.portswigger.burp.e
 org-apache-santuario-xmlsec = { module = "org.apache.santuario:xmlsec", version.ref = "org-apache-santuario-xmlsec" }
 org-bouncycastle-bcpkix-jdk15on = { module = "org.bouncycastle:bcpkix-jdk15on", version.ref = "org-bouncycastle-bcpkix-jdk15on" }
 org-junit-jupiter = { module = "org.junit.jupiter:junit-jupiter", version.ref = "org-junit-jupiter" }
+org-junit-platform-launcher = { module = "org.junit.platform:junit-platform-launcher", version.ref = "org-junit-platform-launcher" }
 xerces-xercesimpl = { module = "xerces:xercesImpl", version.ref = "xerces-xercesimpl" }
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

diff --git a/src/main/java/application/CertificateTabController.java b/src/main/java/application/CertificateTabController.java
@@ -703,6 +703,10 @@ public List<BurpCertificate> getCertificatesWithPrivateKey() {
         return burpCertificateStore.getBurpCertificatesWithPrivateKey();
     }
 
+    public List<BurpCertificate> getAllCertificates() {
+        return burpCertificateStore.getBurpCertificates();
+    }
+
     /*
      * Remove
      */

diff --git a/src/main/java/application/SamlMessageAnalyzer.java b/src/main/java/application/SamlMessageAnalyzer.java
@@ -64,30 +64,44 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) {
                 BurpExtender.api.logging().logToError(e);
             }
         } else {
-            var samlResponseInBody = request.parameterValue(samlResponseParameterName, HttpParameterType.BODY);
-            var samlResponseInUrl = request.parameterValue(samlResponseParameterName, HttpParameterType.URL);
-            var samlRequestInBody = request.parameterValue(samlRequestParameterName, HttpParameterType.BODY);
-            var samlRequestInUrl = request.parameterValue(samlRequestParameterName, HttpParameterType.URL);
+            var log = BurpExtender.api.logging();
+            log.logToOutput("[SAML Raider] analyze() — contentType=" + request.contentType()
+                    + " body[0..80]=" + request.bodyToString().replace("\n","").replace("\r","").substring(0, Math.min(80, request.bodyToString().length())));
+
+            var samlResponseInBody = extractParameterValue(request, samlResponseParameterName, HttpParameterType.BODY);
+            var samlResponseInUrl  = request.parameterValue(samlResponseParameterName, HttpParameterType.URL);
+            var samlRequestInBody  = extractParameterValue(request, samlRequestParameterName, HttpParameterType.BODY);
+            var samlRequestInUrl   = request.parameterValue(samlRequestParameterName, HttpParameterType.URL);
+
+            log.logToOutput("[SAML Raider] responseInBody=" + (samlResponseInBody != null ? samlResponseInBody.substring(0, Math.min(40, samlResponseInBody.length())) : "null")
+                    + " requestInBody=" + (samlRequestInBody != null ? samlRequestInBody.substring(0, Math.min(40, samlRequestInBody.length())) : "null"));
 
             isSAMLMessage =
                     samlResponseInBody != null
                             || samlResponseInUrl != null
                             || samlRequestInBody != null
                             || samlRequestInUrl != null;
 
+            log.logToOutput("[SAML Raider] isSAMLMessage=" + isSAMLMessage);
+
             if (isSAMLMessage) {
                 isSAMLRequest = samlRequestInBody != null || samlRequestInUrl != null;
                 isURLParam = samlResponseInUrl != null || samlRequestInUrl != null;
 
                 String message =
-                    Stream.of(samlResponseInBody, samlResponseInUrl, samlRequestInBody, samlRequestInUrl)
+                    Stream.<String>of(samlResponseInBody, samlResponseInUrl, samlRequestInBody, samlRequestInUrl)
                         .filter(str -> str != null)
                         .findFirst()
                         .orElseThrow();
 
-                var decodedSAMLMessage = SamlMessageDecoder.getDecodedSAMLMessage(message, isWSSMessage, isWSSUrlEncoded);
-                isInflated = decodedSAMLMessage.isInflated();
-                isGZip = decodedSAMLMessage.isGZip();
+                try {
+                    var decodedSAMLMessage = SamlMessageDecoder.getDecodedSAMLMessage(message, isWSSMessage, isWSSUrlEncoded);
+                    isInflated = decodedSAMLMessage.isInflated();
+                    isGZip = decodedSAMLMessage.isGZip();
+                } catch (Exception e) {
+                    // Decode failure doesn't hide the tab
+                    BurpExtender.api.logging().logToError(e);
+                }
             }
         }
 
@@ -102,6 +116,27 @@ else if (request.hasParameter("wresult", HttpParameterType.BODY)) {
                 isURLParam);
     }
 
+    /**
+     * Returns the value of a body parameter, falling back to a raw-body scan when Burp's
+     * URL-param parser returns null (e.g. because Hackvertor tags containing literal '<' chars
+     * are present in the body and break standard URL-encoded parsing).
+     */
+    public static String extractParameterValue(HttpRequest request, String paramName, HttpParameterType type) {
+        String value = request.parameterValue(paramName, type);
+        if (value != null) return value;
+
+        if (type != HttpParameterType.BODY) return null;
+
+        // Strip Hackvertor tags then scan the raw body for name=value
+        String rawBody = request.bodyToString().replaceAll("</?@[^>]+>", "");
+        String marker = paramName + "=";
+        int idx = rawBody.indexOf(marker);
+        if (idx < 0) return null;
+        String val = rawBody.substring(idx + marker.length());
+        int amp = val.indexOf('&');
+        return amp >= 0 ? val.substring(0, amp) : val;
+    }
+
     private SamlMessageAnalyzer() {
         // static class
     }

diff --git a/src/main/java/application/SamlMessageDecoder.java b/src/main/java/application/SamlMessageDecoder.java
@@ -26,7 +26,9 @@ public static DecodedSAMLMessage getDecodedSAMLMessage(String message, boolean i
         }
 
         String urlDecoded = BurpExtender.api.utilities().urlUtils().decode(message);
-        urlDecoded = urlDecoded.replaceAll("\\R", "");
+        urlDecoded = urlDecoded.replaceAll("\\R", "").replace(" ", "+");
+        // Strip Hackvertor tags (<@tag>...</@tag>) so the tab survives Hackvertor-wrapped requests
+        urlDecoded = urlDecoded.replaceAll("</?@[^>]+>", "").strip();
         byte[] base64Decoded = Base64.getDecoder().decode(urlDecoded);
 
         boolean isInflated = true;