WSBang – Python Based SOAP Services Testing Tool

Use Netsparker


WSBang is designed to be a lightweight, open source fuzzer for web services. It takes as input the URL or file system location of a WSDL for the web service to be tested. Upon completion, a simple HTML view of the test results will be displayed.

Method parameters are fuzzed based on their type as specified by the WSDL. The data used for each type can be specified in the “DataDef.xml” file supplied. In addition, default arguments for parameters can be specified in the same file in the Argument definitions.

  • Takes URL of WSDL as input
  • Fuzzes all methods and parameters in the service
  • Identifies all methods and parameters, including complex parameters
  • Fuzzes parameters based on type specified in WSDL
  • Reports SOAP responses and faults

Prerequisites:
SOAPpy version 0.11.6.

Use:
WSBang.py [URL of WSDL]

Files included:
WSBang.py – The main execution code for WSBang.
Fuzzer.py – Classes that support WS analysis and the fuzz engine.
DataProvider.py – Classes that provide fuzz data and default arguments.

You can download WSBang here:

WSBang.zip
WSBang.tar.gz

Or you can read more here.

Posted in: Hacking Tools, Secure Coding, Web Hacking

, , ,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


8 Responses to WSBang – Python Based SOAP Services Testing Tool

  1. dre November 6, 2007 at 5:21 pm #

    WSBang and the iSecPartners’ tools are nice.

    Most recently, I have been using SOAPSonar Enterprise from Crosscheck Networks because of its inclusion of a very nice vulnerability assessment engine, as well as support for almost everything related to web services. The Personal Edition is also downloadable for free.

    For general XML fuzzing – check out untidy. Another tool worth mentioning is wsScanner from BlueInfy, whose creator – Shreeraj Shah – wrote the book on Hacking Web Services

  2. dirty November 6, 2007 at 6:07 pm #

    havent got a chance to test this out but seems interesting…btw…the isec website has a lot of free python based tools available.

    the author, Andres Riancho, of untidy also wrote w3af (http://w3af.sourceforge.net/)
    w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.

  3. Darknet November 7, 2007 at 6:17 am #

    dre: Yeah they have some pretty cool Python based stuff, I have a draft on untidy which is pretty useful – I haven’t really checked out an of the others yet. Will look at wsScanner.

    dirty: We have written about w3af before :)

  4. dirty November 7, 2007 at 8:58 pm #

    darknet
    sorry, sometimes i forget where i have read about something (w3af). BTW a new version (Beta5) is out since the last time darknet reported on it…..

  5. fazed November 8, 2007 at 1:22 am #

    nice tool, w3af is good. :)
    I don’t usually do anything with SOAP.

  6. dirty November 8, 2007 at 4:05 pm #

    fazed:
    I know what you mean about SOAP. Never get a chance to do anything with it, customers not using it.

  7. CG November 15, 2007 at 4:11 am #

    Does anyone know of any good test sites for SOAP/WSDL or have some instructions on building one. that’s really the big issue with all these cool SOAP fuzzers and auditing tools that there arent too many places running running apps you can play with.

    guess i need to get off my butt and build one…

  8. Saam Choy January 19, 2008 at 8:56 pm #

    All of the tools mentioned are pretty good but really dont address SOAP security testing in its entirety. That is why many tools must be combined with solid manual testing. Also check out OWASP’s WSFuzzer as it does nasty testing against SOAP services. Their XML Fuzz Generator class is pretty interesting and worth analyzing. That neurofuzz team also has text web services on their site. xmethods also has tons of free services you can mess with.