This tool was created based on, and to automate, some of the manual SOAP pen testing work we perform.
Features of WSFuzzer:
- Attacks a web service based on either valid WSDL, a valid endpoint & namespace, or it can try to intelligently detect WSDL for a given target.
- It gives you the ability to handle methods with multiple parameters. Each parameter is handled as a unique entity and can either be attacked or left alone. As of version 1.8.1 this was taken one step further, there are now 2 modes of attacking parameters. The traditional mode is unchanged and is now called “individual” mode due to the fact that each param is fuzzed individually. The new mode is “simultaneous” and attacks multiple parameters simultaneously with a given data set.
- The fuzz generation (attack strings) consists of a combination of a dictionary file, some optional dynamic large injection patterns, and some optional method specific attacks including automated XXE and WSSE attack generation.
- The tool provides the option of using some IDS Evasion techniques which makes for a powerful security infrastructure (IDS/IPS) testing experience.
Ddemonstration available at : http://www.neurofuzz.com/modules/software/vidz.php
WSDigger
WSDigger is a web services testing framework. WSDigger contains sample attack plug-ins for SQL injection, cross site scripting and XPATH injection attacks. A web service vulnerable to XPATH injection is provided as an example with the tool. By releasing the framework as an open-source tool, users are encouraged to develop and share their own plug-ins.
Also See:
No user commented in " Pen Test Tools for Web Services "
Follow-up comment rss or Leave a TrackbackLeave A Reply