SOAP Web Services Vulnerability Scanner/Methodology

[H1t M0nk3y]

Thanks MaXe,

But other than what we have listed earlier, what features would you like to see in this WS Scanner?

Guys, I am very serious about writing a tool for that...

[MaXe]

The ability to request ?wsdl from a URL where it isn't specified by default, form the XML request without redundant headers (e.g. the same header mentioned several times), interpreting WS-Security error messages and relaying them to the user saying e.g. "You need to specify a valid username and password", and when the basic request has been formed, the ability to fuzz each field, look at the response for both returned values and error messages and report that to the user :-)

In essence, creating a working XML request can sometimes be tricky with some clients where their ?wsdl specifies another endpoint than what you have been given, so the tool should also be able to use a hardcoded ?wsdl URL that does not change even if the ?wsdl says otherwise. The tool should accept sample requests provided by the user, which the user knows is working, bypassing the initial phase/process in the program of creating a working XML request that responds as it should.

Just some ideas and the most annoying issues I have come across when testing.

Oh yeah, the tool should be able to proxy as well, so it can go through Burp, etc.

I am mostly experiencing issues with a WSDL defining too much (useless) information and incorrect endpoints when I am testing a WSDL that has just been moved from one location to another (from production to development) where the WSDL hasn't been updated.

[hayabusa]

I am mostly experiencing issues with a WSDL defining too much (useless) information and incorrect endpoints when I am testing a WSDL that has just been moved from one location to another (from production to development) where the WSDL hasn't been updated.

++1 to the 'useless' data piece (and the rest, but definitely that)

[H1t M0nk3y]

Excellent MaXe, thanks a lot. I agree with all the required features. Thanks again!!

So I am "All In" now. I have started working on this project last weekend and at this point, I can send, receive and parse SOAP web services. Basic fuzzing will be the next step so in about a week from now, this part should be working.

I suspect that the Alpha version will be ready in March 2013. I will keep you guys posted! I will need knowledgeable testers... 

[ajohnson]

What are you writing this in (I seem to remember you working with Java)?

Have you thought about using Burp Extender? http://portswigger.net/burp/extender/

[H1t M0nk3y]

Yes, it's in Java.

As for the Burp Extender, I have an hard time working for free for a commercial tool (even if they have a community version)...

[tturner]

Yes, it's in Java.

As for the Burp Extender, I have an hard time working for free for a commercial tool (even if they have a community version)...

Which was why I mentioned ZAP