This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP WSFuzzer Project

From OWASP
Revision as of 00:56, 6 April 2007 by Aandreu (talk | contribs) (Goals)

Jump to: navigation, search

Overview

WSFuzzer is a GPL'd program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work. This tool is NOT meant to be a replacement for solid manual human analysis. Please view WSFuzzer as a tool to augment analysis performed by competent and knowledgable professionals. Web Services are not trivial in nature so expertise in this area is a must for proper pen testing.

Goals

It is not the goal of WSFuzzer to replace human analysis. AAMOF WSFuzzer does not currently do any analysis of the results gathered. The job of analysis is left to the analyst/engineer running a given pen test.

This tool is meant to augment a pen testers job in respect to SOAP services and the intent is to automate some of the more intense fuzzing processes that would be quite time consuming if performed manually. Hence the main goal is to be part of a solid pen testing toolkit.

Check out a video of WSFuzzer in action @ http://www.neurofuzz.com/modules/software/vidz.php

Download

Get the tarball from sourceforge: http://sourceforge.net/project/showfiles.php?group_id=155697

Features

‡ Pen tests an HTTP SOAP web service based on either valid WSDL or a valid endpoint & namespace.
‡ It can try to intelligently detect WSDL for a given target.
‡ Includes a simple TCP port scanner.
‡ WSFuzzer has the ability to Fuzz methods with multiple parameters. There are 2 modes of attack/fuzzing: "individual" and "simultaneous". Each parameter is either handled as a unique entity (individual mode), and can either be attacked or left alone, or multiple parameters are attacked simultaneously (hence the name - simultaneous mode) with a given data set.
‡ The fuzz generation (attack strings) consists of a combination of a dictionary file, some optional dynamic large injection patterns, and some optional method specific attacks including automated XXE and WSSE attack generation.
‡ The tool also provides the option of using some IDS Evasion techniques which makes for a powerful security infrastructure (IDS/IPS) testing experience.

Command line usage

Usage: python WSFuzzer.py [-w wsdl_url | -e endpoint -n namespace | -h host | --bauser username --bapass password | --keyfile keyfile --certfile certfile ]

-w WSDL_URL -- A FQDN WSDL URL - i.e. http://host/service/service.asmx?wsdl
Example: python WSFuzzer.py -w http://host/service/service.asmx?wsdl

-e endpoint -n namespace -- -e and -n are used together
-e is the web service endpoint -- i.e. WSDL URL
-n is the web service namespace -- i.e. URI
When using -e and -n you will have to manually establish the method to be attacked
Example: python WSFuzzer.py -e "http://host/service/service.asmx" -n "urn:querySOAP"

-h host -- A URL of the target host. This option will do some digging into the target URL, it will scrape for anything WSDL or DISCO related and construct a list of verified WSDL URL's
Example: python WSFuzzer.py -h http://host

--bauser username --bapass password --- these 2 optional arguments are used together whenever HTTP Basic Auth needs to be used
--bauser is a Basic Auth username
--bapass is a Basic Auth password to be used with the "bauser" username

--keyfile keyfile --certfile certfile --- these 2 optional arguments are used together whenever client-side certs need to be used
--keyfile is the PEM formatted file that contains the respective private key to be used
--certfile is the PEM formatted file that contains the X.509 certificate to be used with the "keyfile"


See further details at: http://www.neurofuzz.com/modules/software/wsfuzzer.php

Future Development

‡ More types of dynamic and intelligent XML content based attacks
‡ Exposing the functionality as a service (most likely via SOAP)
‡ Further development of attack vectors for:
   o WS-Security
   o SAML
   o XML Security (Digital Signatures, XML Encryption, etc)
‡ Different results output formats (possibly AVDL, NBE, etc)
‡ Basic-Auth brute forcing
‡ Support for XML-RPC targets also

News

 OWASP WSFuzzer Project Created! - 10:36, 23 October 2006 (EDT)

The Open Web Application Security Project is proud to announce the creation of the OWASP WSFuzzer Project!

Feedback and Participation

We hope you find the OWASP WSFuzzer Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to [email protected]. To join the OWASP WSFuzzer Project mailing list or view the archives, please visit the subscription page.

WSFuzzer is a labor of love that is intended to benefit all of us in this application security field. It is entirely open source and to keep this tool as a useful player in a pen testers toolkit the project can use help in the areas of:

   * Python coding
   * regular testing of the tool
   * web services security expertise

If one person has even 2 of these 3 qualifications then that person would be an ideal addition to this project. If you are interested drop a note to wsfuzzer [at] neurofuzz dot com.

Project Contributors

WSFuzzer is managed by Andres Andreu <andres [at] neurofuzz dot com>

Project Sponsors

TBD

This category currently contains no pages or media.