Error: Content is not allowed in prolog.

Question

Error: Content is not allowed in prolog.

Closed this issue 5 years ago · 7 comments

EsPReSSO fails to parse some SAML requests. The Source Code tab of EsPReSSO says:

<error>Something went wrong during init.!</error>

...and SAML Request tab is empty. Error log in burp has this:

[E] 12:10:11 - [de.rub.nds.burp.espresso.gui.attacker.saml.UISigWrapAttack]:	org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.
	com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:257)
	com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:348)
	wsattacker.library.xmlutilities.dom.DomUtilities.stringToDom(DomUtilities.java:468)
	de.rub.nds.burp.espresso.gui.attacker.saml.UISigWrapAttack.initXsw(UISigWrapAttack.java:332)
	de.rub.nds.burp.espresso.gui.attacker.saml.UISigWrapAttack.setCode(UISigWrapAttack.java:386)
	de.rub.nds.burp.utilities.listeners.CodeListenerController.notifyAll(CodeListenerController.java:60)
	de.rub.nds.burp.espresso.editor.saml.SAMLEditor$InputTab.setMessage(SAMLEditor.java:230)
	burp.v2c.a(Unknown Source)
	burp.rmb.a(Unknown Source)
	burp.rmb.b(Unknown Source)
	burp.pn.run(Unknown Source)
	java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
	java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
	java.awt.EventQueue.access$500(EventQueue.java:97)
	java.awt.EventQueue$3.run(EventQueue.java:709)
	java.awt.EventQueue$3.run(EventQueue.java:703)
	java.security.AccessController.doPrivileged(Native Method)
	java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:76)
	java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
	java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

java.lang.NullPointerException
	at burp.v2c.a(Unknown Source)
	at burp.rmb.a(Unknown Source)
	at burp.rmb.b(Unknown Source)
	at burp.pn.run(Unknown Source)
	at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
	at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:756)
	at java.awt.EventQueue.access$500(EventQueue.java:97)
	at java.awt.EventQueue$3.run(EventQueue.java:709)
	at java.awt.EventQueue$3.run(EventQueue.java:703)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:76)
	at java.awt.EventQueue.dispatchEvent(EventQueue.java:726)
	at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
	at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
	at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
	at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

This is tested on Burp versions 1.7.13 and 1.6.01 with Oracle Java 1.8.0_60-b27 as well as OpenJDK.

Answer 1 · 2016-12-01T12:01:45.000Z

Could you send us the raw SAML Requests causing the exceptions? This will help us finding the issue.

Answer 2 · 2018-03-19T16:36:45.000Z

The NullPointerException should be fixed now. Please open another issue if you experience this again.

Answer 3 · 2019-05-28T12:16:11.000Z

The said exception lineNumber: 1; columnNumber: 1; Content is not allowed in prolog. still occurs when parsing valid SAML requests / responses that contain newline characters.
In particular, %0D%0A occurrences seem to cause problems.

After having removed all %0D%0A occurences, Espresso could process the SAML request / response, which previously caused errors.

Ideally, the various newline characters (\n, \r\n should be removed by the Espresso plugin before processing?

Answer 4 · 2019-05-28T17:52:58.000Z

Thank you for reporting this issue!

This error usually occurs if the parsed XML starts with invalid characters, in particular if some characters precede the XML preamble <?xml version=1.0 .... However, the problem could also be caused by an encoding issue.
I don't know how to reproduce the problem right now. Would it be possible for you to provide us with a HTTP message that contains an affected SAML message?

Answer 5 · 2019-05-29T07:59:33.000Z

I don't think it is caused by the first characters but rather by the newline characters, as mentioned. Please find the problematic SAML response below:

Python2.7 code for obtaining problematic SAML response:

import urllib
def split_len(seq, length):
    return [seq[i:i+length] for i in range(0, len(seq), length)]
s = samlString
payload = urllib.quote("\r\n".join(split_len(base64.b64encode(s),72)))

Payload:

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoy%0D%0ALjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDph%0D%0Ac3NlcnRpb24iIElEPSJfOGU4ZGM1ZjY5YTk4Y2M0YzFmZjM0MjdlNWNlMzQ2MDZmZDY3MmY5%0D%0AMWU2IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNC0wNy0xN1QwMTowMTo0OFoi%0D%0AIERlc3RpbmF0aW9uPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2Fj%0D%0AcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkw%0D%0AMGI1MjczZDU2Njg1Ij4KICA8c2FtbDpJc3N1ZXI%2BaHR0cDovL2lkcC5leGFtcGxlLmNvbS9t%0D%0AZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPgogIDxzYW1scDpTdGF0dXM%2BCiAgICA8c2FtbHA6%0D%0AU3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpT%0D%0AdWNjZXNzIi8%2BCiAgPC9zYW1scDpTdGF0dXM%2BCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhz%0D%0AaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhz%0D%0APSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9kNzFhM2E4ZTlmY2M0%0D%0ANWM5ZTlkMjQ4ZWY3MDQ5MzkzZmM4ZjA0ZTVmNzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0%0D%0AYW50PSIyMDE0LTA3LTE3VDAxOjAxOjQ4WiI%2BCiAgICA8c2FtbDpJc3N1ZXI%2BaHR0cDovL2lk%0D%0AcC5leGFtcGxlLmNvbS9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPgogICAgPHNhbWw6U3Vi%0D%0AamVjdD4KICAgICAgPHNhbWw6TmFtZUlEIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NwLmV4%0D%0AYW1wbGUuY29tL2RlbW8xL21ldGFkYXRhLnBocCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6%0D%0AdGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQiPl9jZTNkMjk0OGI0Y2YyMDE0%0D%0ANmRlZTBhMGIzZGQ2ZjY5YjZjZjg2ZjYyZDc8L3NhbWw6TmFtZUlEPgogICAgICA8c2FtbDpT%0D%0AdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4w%0D%0AOmNtOmJlYXJlciI%2BCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90%0D%0AT25PckFmdGVyPSIyMDI0LTAxLTE4VDA2OjIxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vc3Au%0D%0AZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJ%0D%0ATl80ZmVlM2IwNDYzOTVjNGU3NTEwMTFlOTdmODkwMGI1MjczZDU2Njg1Ii8%2BCiAgICAgIDwv%0D%0Ac2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPgogICAgPC9zYW1sOlN1YmplY3Q%2BCiAgICA8c2Ft%0D%0AbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wNy0xN1QwMTowMToxOFoiIE5vdE9uT3JB%0D%0AZnRlcj0iMjAyNC0wMS0xOFQwNjoyMTo0OFoiPgogICAgICA8c2FtbDpBdWRpZW5jZVJlc3Ry%0D%0AaWN0aW9uPgogICAgICAgIDxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zcC5leGFtcGxlLmNvbS9k%0D%0AZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U%2BCiAgICAgIDwvc2FtbDpBdWRpZW5j%0D%0AZVJlc3RyaWN0aW9uPgogICAgPC9zYW1sOkNvbmRpdGlvbnM%2BCiAgICA8c2FtbDpBdXRoblN0%0D%0AYXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTQtMDctMTdUMDE6MDE6NDhaIiBTZXNzaW9uTm90%0D%0AT25PckFmdGVyPSIyMDI0LTA3LTE3VDA5OjAxOjQ4WiIgU2Vzc2lvbkluZGV4PSJfYmU5OTY3%0D%0AYWJkOTA0ZGRjYWUzYzBlYjQxODlhZGJlM2Y3MWUzMjdjZjkzIj4KICAgICAgPHNhbWw6QXV0%0D%0AaG5Db250ZXh0PgogICAgICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNp%0D%0AczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29u%0D%0AdGV4dENsYXNzUmVmPgogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0PgogICAgPC9zYW1sOkF1%0D%0AdGhuU3RhdGVtZW50PgogICAgPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PgogICAgICA8c2Ft%0D%0AbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6%0D%0AU0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4KICAgICAgICA8c2FtbDpBdHRyaWJ1%0D%0AdGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVl%0D%0APgogICAgICA8L3NhbWw6QXR0cmlidXRlPgogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0i%0D%0AbWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1l%0D%0ALWZvcm1hdDpiYXNpYyI%2BCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9%0D%0AInhzOnN0cmluZyI%2BdGVzdEBleGFtcGxlLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4KICAg%0D%0AICAgPC9zYW1sOkF0dHJpYnV0ZT4KICAgICAgPHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBl%0D%0AcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoy%0D%0ALjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj4KICAgICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1%0D%0AZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2Vyczwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4KICAg%0D%0AICAgICA8c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5leGFtcGxl%0D%0Acm9sZTE8L3NhbWw6QXR0cmlidXRlVmFsdWU%2BCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU%2BCiAg%0D%0AICA8L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50PgogIDwvc2FtbDpBc3NlcnRpb24%2BCjwvc2Ft%0D%0AbHA6UmVzcG9uc2U%2B

Properly decoded SAML response:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
  <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
    <saml:Subject>
      <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
      <saml:AudienceRestriction>
        <saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Answer 6 · 2019-05-29T08:44:03.000Z

Thanks a lot, I can reproduce the problem and am working on a solution.

Answer 7 · 2019-06-11T12:00:07.000Z

A fix will be included in the next release (hopefully by the end of the week)