Auditing SOAP Web Services with Burpsuite without using SoapUI

Yes you heard it right ! We can audit SOAP web services without using SOAP UI.

Introduction:-

WSDL (Web Services Description Language) files are XML formatted descriptions about the operations of web services between clients and servers. They contain possible requests along with the parameters an application uses to communicate with a web service. This is great for penetration testers because we can test and manipulate web services using the information from WSDL files.

BurpSuite is one of the best tool used for intercepting HTTP/HTTPS requests and responses. We can intercept the SOAP Web services directly in burp.

General Format While Auditing/Testing WebService

1] SoapUI to parse the webservice WSDL file and generate all the SOAP requests supported by the web service in the SOAP UI tool itself. Then we can redirect the requests to Burpsuite or other proxy in order to modify them as in a typical web pentest.

2] Another options is to use WSDL extensions in Burpsuite (https://github.com/NetSPI/Wsdler) to import and generate the SOAP requests in Burpsuite without using SoapUI.

So let's check how this second method works.

How WSDL burp plugin works :-

Burp takes a WSDL request and parses out the operations that are associated with the targeted web service and creates SOAP requests which can then be sent to a web service.

The Wsdler plugin along with all the source is located at the Github repository here: https://github.com/NetSPI/Wsdler.

Requirement :-

1] BurpSuite

2] Wsdler Parser extension for Burp

Step by step process to install WSDL in your burp and how to use:-

Step 1 :- In Burp navigate to Extender tab and then go to BApp Store