Depicting OpenID flow using a message sequence chart
as part of a research group we are investigating possible ways of visualizing the OpenID communication from a tool we developed. It was suggested for this purpose to use BURP for its proxy capabilities and the fact that it already can identify and filter exactly what we need. We have seen this page here
where you have some examples, and our idea was to create an extension that would log only the traffic we required based on the OpenID communication of the Identity Provider and the Client and based on that to draw the communication as a chart.
The goal is to use something similar to this http://www.mcternan.me.uk/mscgen/
which would allow to visualize the communication.
Could you please evaluate the difficulty of such an attempt? Perhaps suggest an alternative or suggest an optimal course of action?
Any information you can share will be valuable.
This is an interesting project. Yes, you could use Burp to intercept communication between a browser and web server. An extension could hook the IProxyListener interface and record messages that match a particular criteria. You could then display these however you like.
If you are familiar with Java coding and web security, this would be moderately difficulty. The main difficulty would be the visualization. Burp doesn’t help you much with that; you’d need to do custom coding.