Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Depicting OpenID flow using a message sequence chart

l. vas Jun 07, 2019 11:07AM UTC

Dear Burp,
as part of a research group we are investigating possible ways of visualizing the OpenID communication from a tool we developed. It was suggested for this purpose to use BURP for its proxy capabilities and the fact that it already can identify and filter exactly what we need. We have seen this page here
https://portswigger.net/burp/extender#SampleExtensions
where you have some examples, and our idea was to create an extension that would log only the traffic we required based on the OpenID communication of the Identity Provider and the Client and based on that to draw the communication as a chart.
The goal is to use something similar to this http://www.mcternan.me.uk/mscgen/
which would allow to visualize the communication.

Could you please evaluate the difficulty of such an attempt? Perhaps suggest an alternative or suggest an optimal course of action?

Any information you can share will be valuable.

Thank you
L.V


Paul Johnston Jun 10, 2019 03:56PM UTC Support Center agent

This is an interesting project. Yes, you could use Burp to intercept communication between a browser and web server. An extension could hook the IProxyListener interface and record messages that match a particular criteria. You could then display these however you like.

If you are familiar with Java coding and web security, this would be moderately difficulty. The main difficulty would be the visualization. Burp doesn’t help you much with that; you’d need to do custom coding.


Post Your public answer

Your name
Your email address
Answer