Post

Web Service Testing Made Easy: autowsdl

Posted
By yuznumara
4 min read
Web Service Testing Made Easy: autowsdl

Web service testing is a critical process in identifying vulnerabilities within service-oriented architectures (SOA) and ensuring their robustness against potential threats. Traditionally, manual testing involves a detailed methodology, which can be both time-consuming and error-prone. To streamline this process, we’ve adopted an approach that blends automation with manual oversight to effectively test for vulnerabilities in web services.

Standard Methodology for Web Service Testing

When testing web services, our approach generally involves three key steps:

  1. Importing WSDL into SOAP UI: Initially, we load the Web Services Description Language (WSDL) link into SOAP UI, which generates a request structure that can interact with the web service. This request is routed through a proxy (like Burp Suite), which allows us to intercept and analyze the traffic.
  2. Automated Testing via Burp Suite: Once the request structure is in place, we run an automated test using Burp Suite’s Active Scan feature. This tool captures the traffic between SOAP UI and the web service, checking for security flaws such as SQL injection, command injection, and more.
  3. Manual Parameter Analysis: Even with automation, manual inspection remains crucial. After running the Active Scan, we manually inspect the service’s parameters, headers, and responses for vulnerabilities that automated scanners might miss, such as custom logic flaws or subtle security misconfigurations.

The Challenges of Manual Web Service Testing

While this methodology works well for small-scale testing, it can become a logistical challenge when dealing with multiple web services. For example, testing 200 WSDLs in SOAP UI can lead to excessive manual work, potentially overwhelming system resources. The repetitive process of importing each WSDL, setting up the requests, and conducting the tests is both tedious and time-consuming.

In such cases, testing for a large number of web services can significantly slow down the process, placing a heavy load on both the system and the tester. To overcome this bottleneck, I sought to automate the most resource-intensive steps, particularly the first two items in our methodology: importing the WSDL and running the initial tests.

Automating the Process: autowsdl

To address the inefficiencies, I developed a tool called autowsdl, designed to automate the first two steps of our testing methodology. With autowsdl, the tedious process of importing WSDLs and generating request structures is handled automatically. This tool can automatically import URLs, request files, and authentication details, sending these requests through a proxy for Burp Suite’s automated testing process.

By using autowsdl, testers no longer need to manually import each WSDL into SOAP UI, which not only saves time but also reduces the risk of system overload. Now, testers can handle large-scale web service tests efficiently, even when dealing with hundreds of WSDLs simultaneously.

Vulnerabilities Addressed by autowsdl

Autowsdl specifically targets key vulnerabilities that are common in web services. The tool focuses on detecting:

  • TLS Unsupported: It checks if the web service is not enforcing secure communication, potentially exposing sensitive data to attackers.
  • Missing Authorization: It identifies services that allow unauthorized access to protected resources, making them vulnerable to privilege escalation or data theft.
  • XML External Entity (XXE): This vulnerability occurs when the web service processes malicious XML input that allows attackers to access sensitive internal files or execute commands on the server.

By automating the detection of these vulnerabilities, autowsdl significantly improves the efficiency and thoroughness of web service testing, enabling testers to focus on more complex and subtle security issues.

Installation

1
2
3
4

git clone <https://github.com/0xdak/autowsdl>
cd autowsdl
pip3 install -r requirements.txt
python3 setup.py install

Usage

$ autowsdl -u

or

$ autowsdl –from-json

  • u / -url: target url
  • fj / -from-json: it is used to perform multiple tests without the need for typing parameters.
  • r / -request_file: request file path
  • H / -header: specified headers like Cookie…
  • ba / -basic-auth: basic authorization credentials seperated as user:pass
  • m / -method: http method, default is GET
  • p / -proxy: proxy, it enables http and https for given proxy
  • sc / -success-codes: success codes, default [200, 201]
  • d / -debug: debug/verbose mode, prints verbose messages

To test single url you can pass parameters or just pass a json file:

1

autowsdl -u <target> / -r <request_file> / -H "Cookie:X,Authorization:Y" / -m "POST" / -p 127.0.0.1:8080 / -sc 200,201 / --debug

To test multiple urls you can pass JSON file:

1

autowsdl --from-json wsdls.json

JSON file format has to be like below:

1

[ { "url": "<http://target1.com>", "method": "GET", "headers": "Authorization: Basic qMjwmkokfqis==", "proxy": "127.0.0.1:8080", "status_codes": "", }, { "url": "<http://target2.com>", "request_file": "request_file_path.xml", "method": "POST", "basic_auth": "user:pass", "headers": "", "proxy": "", "status_codes": "" } ]
Blogging, Tools, SOAP, API Testing
pentesting software
This post is licensed under CC BY 4.0 by the author.

Trending Tags

pentesting htb oscp software