Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Depicting OpenID flow using a message sequence chart

l. | Last updated: Jun 07, 2019 11:07AM UTC

Dear Burp, as part of a research group we are investigating possible ways of visualizing the OpenID communication from a tool we developed. It was suggested for this purpose to use BURP for its proxy capabilities and the fact that it already can identify and filter exactly what we need. We have seen this page here https://portswigger.net/burp/extender#SampleExtensions where you have some examples, and our idea was to create an extension that would log only the traffic we required based on the OpenID communication of the Identity Provider and the Client and based on that to draw the communication as a chart. The goal is to use something similar to this http://www.mcternan.me.uk/mscgen/ which would allow to visualize the communication. Could you please evaluate the difficulty of such an attempt? Perhaps suggest an alternative or suggest an optimal course of action? Any information you can share will be valuable. Thank you L.V

PortSwigger Agent | Last updated: Jun 10, 2019 03:51PM UTC

This is an interesting project. Yes, you could use Burp to intercept communication between a browser and web server. An extension could hook the IProxyListener interface and record messages that match a particular criteria. You could then display these however you like. If you are familiar with Java coding and web security, this would be moderately difficulty. The main difficulty would be the visualization. Burp doesn't help you much with that; you'd need to do custom coding.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.