Auditing SOAP Web Services with Burpsuite without using SoapUI




Yes you heard it right ! We can audit SOAP web services without using SOAP UI.

Introduction:- 

WSDL (Web Services Description Language) files are XML formatted descriptions about the operations of web services between clients and servers. They contain possible requests along with the parameters an application uses to communicate with a web service.  This is great for penetration testers because we can test and manipulate web services using the information from WSDL files. 

BurpSuite is one of the best tool used for intercepting HTTP/HTTPS requests and responses. We can intercept the SOAP Web services directly in burp. 

General Format While Auditing/Testing WebService 

1] SoapUI to parse the webservice WSDL file and generate all the SOAP requests supported by the web service in the SOAP UI tool itself. Then we can redirect the requests to Burpsuite or other proxy in order to modify them as in a typical web pentest.

2] Another options is to use WSDL extensions in Burpsuite (https://github.com/NetSPI/Wsdler) to import and generate the SOAP requests in Burpsuite without using SoapUI.

So let's check how this second method works. 

How WSDL burp plugin works :- 

Burp takes a WSDL request and parses out the operations that are associated with the targeted web service and creates SOAP requests which can then be sent to a web service.

The Wsdler plugin along with all the source is located at the Github repository here: https://github.com/NetSPI/Wsdler.

Requirement :- 

1] BurpSuite
2] Wsdler Parser extension for Burp


Step by step process to install WSDL in your burp and how to use:- 


Step 1 :-  In Burp navigate to Extender tab and then go to BApp Store 




Step 2:- Download  Wsdler Extension from the Burp App store and install as shown below in the screenshot. 



Below screenshot represent that we have successfully installed Wsdler extension in burp suite




Step 3:-   Capturing the WSDL

For Testing purpose we can use below WSDL:-
http://www.webservicex.com/globalweather.asmx?wsdl



Step 4:- Once WSDL url has been intercepted, right click on the request and select Parse WSDL option.






Step 5:- The Wsdler tab will populate with the SOAP Request 




Now you are all good to go and you can play around with SOAP Web services with burp suite




I hope this article will be a value add to your SOAP Web Service Testing methodology.  

Share this

Related Posts

Previous
Next Post »

2 comments

Write comments