主页

WSFuzzer

http://www.neurofuzz.com/modules/software/wsfuzzer.php

/*
WSFuzzer is only to be used on targets that have given you permission to pen test their web services and applications. Use it at your own risk.
*/

WSFuzzer is a GPL'd program, written in Python, and it is also
OSI Certified Open Source Software

The program currently targets Web Services. In the current version HTTP based SOAP services are the only supported targets. This tool was created based on, and to automate, some of the manual SOAP pen testing work we perform. This tool is NOT meant to be a replacement for solid manual human analysis, AAMOF we are conceptually against that. Please view WSFuzzer as a tool to augment analysis performed by competent and knowledgable professionals. Web Services are not trivial in nature so expertise in this area is a must for proper pen testing.

In talking to users of the prog it has come to my attention that a note must be made about the results generated from a WSFuzzer run. Be advised that WSFuzzer does not currently do any analysis of the results gathered. That job is yours as the analyst/engineer running the prog during a pen test.

Some of the features of WSFuzzer are:

‡ Attacks a web service based on either valid WSDL, a valid endpoint & namespace, or it can try to intelligently detect WSDL for a given target. As of version 1.6 WSFuzzer includes a simple TCP port scanner.
‡ It gives you the ability to handle methods with multiple parameters. Each parameter is handled as a unique entity and can either be attacked or left alone. As of version 1.8.1 this was taken one step further, there are now 2 modes of attacking parameters. The traditional mode is unchanged and is now called "individual" mode due to the fact that each param is fuzzed individually. The new mode is "simultaneous" and attacks multiple parameters simultaneously with a given data set. See the usage examples below for more info.
‡ The fuzz generation (attack strings) consists of a combination of a dictionary file, some optional dynamic large injection patterns, and some optional method specific attacks including automated XXE and WSSE attack generation.
‡ The tool provides the option of using some IDS Evasion techniques which makes for a powerful security infrastructure (IDS/IPS) testing experience.
‡ A time measurement of each round trip between request and response is now provided to aid in results analysis.

 

WSFuzzer is a dangerous tool so be forewarned, you can easily bring down your target if it susceptible to any of the attack vectors generated and sent in. You can see it in action with a simple SQL Injection example here.

Original engineering team (Authors):

Andres Andreu <andres [at] neurofuzz dot com>
Cosmin Banciu <ccbanciu [at] gmail dot com>
David Shu <ydpanda [at] gmail dot com>

Current team/Author:

Andres Andreu <andres [at] neurofuzz dot com>

WSFuzzer is a labor of love that is intended to benefit all of us in this application security field. It is entirely open source and to keep this tool as a useful player in a pen testers toolkit I am looking for help in the areas of:

  • Python coding
  • regular testing of the tool
  • web services security expertise.

If one person has even 2 of these 3 qualifications then that person would be an ideal addition to this project. Let me know if you are interested at wsfuzzer [at] neurofuzz dot com.

 

Requirements

WSFuzzer requires the following for it to run:

  • A working version of Python (2.4.X is the last tested version for this prog)
  • A working version of SOAPpy (http://sourceforge.net/project/showfiles.php?group_id=26590&package_id=1...)
  • A working version of PyXML (http://pyxml.sourceforge.net/)
  • A working version of ElementTree (http://effbot.org/zone/element-index.htm) ** This is not necessary for versions 1.9 and later
  • A working version of minidom

    The prog has successfully been used in Linux, Mac OSX, and Windows (using Active-State Python) based environments. If you successfully use it on some other platform let us know via wsfuzzer [at] neurofuzz dot com.

    Usage

    The usage statement from the prog itself is:

    Running WSFuzzer 1.9, the latest version

    Usage: WSFuzzer.py [-w wsdl_url | -e endpoint -n namespace | --xml | -h host | --bauser username --bapass password | --keyfile keyfile --certfile certfile ]

    -w WSDL_URL -- A FQDN WSDL URL - i.e. http://host/service/service.asmx?wsdl

    -e endpoint -n namespace -- -e and -n are used together
    -e is the web service endpoint -- i.e. WSDL URL
    -n is the web service namespace -- i.e. URI
    When using -e and -n you will have to manually establish the method
    to be attacked

    --xml --- A text file of the XML payload to be used against the target

    -h host -- A URL of the target host. This option will do some digging into
    the target URL, it will scrape for anything WSDL or DISCO related and construct
    a list of verified WSDL URL's

    --bauser username --bapass password --- these 2 optional arguments are used together whenever HTTP Basic Auth needs to be used
    --bauser is a Basic Auth username
    --bapass is a Basic Auth password to be used with the "bauser" username

    --keyfile keyfile --certfile certfile --- these 2 optional arguments are used together whenever client-side certs need to be used
    --keyfile is the PEM formatted file that contains the respective private key to be used
    --certfile is the PEM formatted file that contains the X.509 certificate to be used with the "keyfile"

    Here are examples of each type of run:

     

  • python WSFuzzer -w http://target/service/service.asmx?wsdl
  • python WSFuzzer -e http://target/service/service.asmx -n urn:service
  • python WSFuzzer --xml file.xml
  • python WSFuzzer -h http://target  

     

    Upon completion of a run the current output is based on a directory the prog will create. It's created in the root dir where the prog is installed and run from. The pattern for dir creation is based on the string FuzzingResults-N. N is dynamically calculated based on existing directories fitting the pattern. So if you run the prog from "/opt/WSFuzzer" for instance you will end up with something like:

     

  • /opt/WSFuzzer/FuzzingResults-0
  • /opt/WSFuzzer/FuzzingResults-1
  • ...
  • /opt/WSFuzzer/FuzzingResults-N

    In each one of these directories there will be an index.html file and a dir called HeaderData.

    index.html will give you an overview of the results as such:

    Method Request Params IDS evasion Response Http Info Round Trip
    xpath {'parameters': '%00'} /WSDIGGeR_WS/WSDiggER_WS.AsMX Soap Fault HTTP Log 276.2158 M
    xpath {'parameters': 'TRUE'} /WSDIggER_WS/WSDIgGer_WS.AsMx Soap Fault HTTP Log 2.88 S

    In the HeaderData dir you will find files that hold a Request / Response pair for each of the attacks sent to the target. One file has one Request and one Response. In some cases there will be no response if the attack Request caused some sort of crash on the server (500 status response, etc). Each one of the links in the Http Info column will provide you a path into the respective file as per the rest of the data in that row.

    In reference to the "Round Trip" values:

    • M = milliseconds
    • S = seconds 

    This is a snippet from a run using the Static XML option (--xml).

    python2.4 WSFuzzer.py --xml xpath.xml

    Running WSFuzzer 1.9, the latest version

    Local "All_attack.txt" data matches that on neurofuzz.com

    Local "dirs.txt" data matches that on neurofuzz.com

    Local "filetypes.txt" data matches that on neurofuzz.com

    If you would like to establish the directory name for the
    results then type it in now (leave blank for the default): xmltest
    Since you are using the static XML feature we need some data from you...

    Host to attack (i.e. sec.neurofuzz.com): 192.168.1.207

    URI to attack (i.e. /axis/EchoHeaders.jws): /WSDigger_WS/WSDigger_WS.asmx
    Unless some serious masking/spoofing is in place, it seems
    you are targeting a .Net host so you will need to use a SOAPAction header ...

    Enter the SOAPAction value: http://foundstone.com/Stringproc/xpath

    Method: xpath
    Param discovered: query, of type: xsi:string
    Simultaneous Mode activated

    Input name of Fuzzing dictionary(full path): attack.txt

    Dictionary Chosen: attack.txt

    Would you like to enable automated fuzzing
    to augment what you have already chosen?
    This option generates a lot of traffic, mostly
    with a bad attitude &->
    Answer: n
    Parameter: query

    Would you like to fuzz this param: y
    Fuzzing this param
    adding parameter

    Would you like to enable IDS evasion(y/n)?
    Answer: n
    Not using IDS evasion

    Shall I begin Fuzzing(y/n)?
    Answer: y

    Commencing the fuzz ....
    Starting to fuzz method (xpath)

    Generated 4 parameter based Attack Strings ...

     

    Fuzzing completed for method (xpath)

    The following represents an example of the payload contained as the content of the xml file passed in via the --xml switch. In reference to the example above, the file xpath.xml has the following as its contents:

    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Body>
    <xpath xmlns="http://foundstone.com/Stringproc">
    <query>WHATEVER</query>
    </xpath>
    </soap:Body>
    </soap:Envelope>

    ** This option (--xml) is ideal for the use of WSFuzzer when targeting .Net services/hosts. In order to use this option successfully you need to know/have the following in reference to your target:

  • A valid XML payload. All you need to do is use whatever method you'd like to generate a valid payload based on your target. As a pen tester this is usually no problem since you are working closely with the target's developers/engineers.
  • Proper host data in the form of host.domain or an IP address, i.e. sec.neurofuzz.com or 192.168.1.207
  • Proper resource data (URI), i.e. /WSDigger_WS/WSDigger_WS.asmx
  • If you are targeting a .Net service you will also need to know the value for a valid SOAPAction HTTP header, this could be the name of the method or a FQDN - it totally depends on how the target services were built. For instance in the example above the SOAPAction value is: http://foundstone.com/Stringproc/xpath

    Here is a snippet from a run utlizing individual mode and no IDS Evasion:

    WSFuzzer.py -w http://jboss_target.example.com/ws4ee/services/LoginService?wsdl

    Running WSFuzzer 1.9, the latest version

    Local "All_attack.txt" data matches that on neurofuzz.com

    Local "dirs.txt" data matches that on neurofuzz.com

    Local "filetypes.txt" data matches that on neurofuzz.com

    WSDL Discovered (http://jboss_target.example.com/ws4ee/services/LoginService?wsdl)
    If you would like to establish the directory name for the
    results then type it in now (leave blank for the default): mytest

    Method(0): authenticateUser
    Params:
    in0(string)
    in1(string)
    in2(string)

    Method(1): setToken
    Params:
    in0(string)

    Select the methods you want to Fuzz(ex: 0,1,2,3 or A for All)
    Methods: 0

    Would you like to attack all the chosen params simultaneously? n

    Method: authenticateUser
    Parameter: in0 Type: string

    Choose fuzz type(ex. 1)
    0) Do not fuzz this parameter
    1) Dictionary (One entry per line)
    FuzzType: 1

    Fuzzing using dictionary
    Input name of dictionary(full path): attack1.txt
    Dictionary Chosen: attack1.txt

    Would you like to enable automated fuzzing
    to augment what you have already chosen?
    This option generates a lot of traffic, mostly
    with a bad attitude &->
    Answer: y

    adding parameter
    Parameter: in1 Type: string

    Choose fuzz type(ex. 1)
    0) Do not fuzz this parameter
    1) Dictionary (One entry per line)
    FuzzType: 0

    Not fuzzing this param
    adding parameter
    Parameter: in2 Type: string

    Choose fuzz type(ex. 1)
    0) Do not fuzz this parameter
    1) Dictionary (One entry per line)
    FuzzType: 1

    Fuzzing using dictionary
    Input name of dictionary(full path): attack2.txt
    Dictionary Chosen: attack2.txt

    Would you like to enable automated fuzzing
    to augment what you have already chosen?
    This option generates a lot of traffic, mostly
    with a bad attitude &->
    Answer: n

    Method: authenticateUser
    Parameter: in0 Type: string

    Would you like to fuzz this param: y
    Fuzzing this param
    adding parameter
    Parameter: in1 Type: string

    Would you like to fuzz this param: y
    Fuzzing this param
    adding parameter
    Parameter: in2 Type: string

    Would you like to fuzz this param: y
    Fuzzing this param
    adding parameter

    Would you like to enable IDS evasion(y/n)?
    Answer: n
    Not using IDS evasion

    Shall I begin Fuzzing(y/n)?
    Answer: y
    Commencing the fuzz ....

    starting fuzzing method (authenticateUser)

    Generated 6101 Attack Strings ...

    <<< Baseline XML Payload with Random data val's >>>

    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/1999/XMLSchema"
    >
    <SOAP-ENV:Body>
    <authenticateUser SOAP-ENC:root="1">
    <v1 xsi:type="xsd:string">xdeiykUzTnXTlFPrEiyJvAszywDojsxbAQNDxVnysdjJrQKCYqGsrNeTQaHWfAZIuhcrohfygMilBDCTCJRGvplQi</v1>
    <v2 xsi:type="xsd:string">suDtTvYwFdbJxDSuvgnnUhzzXbsFrLQuTKfPPNTejarrVATMXUqD</v2>
    <v3 xsi:type="xsd:string">gGdVVAKWMmARMSBBlZhQdnBHzVVHGfgHwUoxFItflzKaTbxMNppRtWevzQxCJcXhdF</v3>
    </authenticateUser>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

    <<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Fuzzing completed for method (authenticateUser)

    And here is a snippet from the results output of the run above:

    Method Request Params IDS Evasion Response Http Info Round Trip
    authenticateUser {'in0': '/*', 'in1': None, 'in2': None} None 0 HTTP Log 276.2158 M
    authenticateUser {'in0': '\\00', 'in1': None, 'in2': None} None 0 HTTP Log 2.88 S

     

    Here is a snippet from a run utlizing simultaneous mode and no IDS Evasion:

    WSFuzzer.py -w http://jboss_target.example.com/ws4ee/services/LoginService?wsdl

    Running WSFuzzer 1.9, the latest version

    Local "All_attack.txt" data matches that on neurofuzz.com

    Local "dirs.txt" data matches that on neurofuzz.com

    Local "filetypes.txt" data matches that on neurofuzz.com

    WSDL Discovered (http://jboss_target.example.com/ws4ee/services/LoginService?wsdl)
    If you would like to establish the directory name for the
    results then type it in now (leave blank for the default): mytest

    Method(0): authenticateUser
    Params:
    in0(string)
    in1(string)
    in2(string)

    Method(1): setToken
    Params:
    in0(string)

    Select the methods you want to Fuzz(ex: 0,1,2,3 or A for All)
    Methods: 0

    Would you like to attack all the chosen params simultaneously? y
    Input name of Fuzzing dictionary(full path): attack3.txt

    Dictionary Chosen: attack3.txt

    Would you like to enable automated fuzzing
    to augment what you have already chosen?
    This option generates a lot of traffic, mostly
    with a bad attitude &->

    Answer: n

    Method: authenticateUser
    Parameter: in0 Type: string
    Would you like to fuzz this param: y
    Fuzzing using dictionary
    adding parameter

    Method: authenticateUser
    Parameter: in1 Type: string
    Would you like to fuzz this param: y
    Fuzzing using dictionary
    adding parameter

    Method: authenticateUser
    Parameter: in2 Type: string
    Would you like to fuzz this param: y
    Fuzzing using dictionary
    adding parameter

    Would you like to enable IDS evasion(y/n)? Answer: n
    Not using IDS evasion

    Shall I begin Fuzzing(y/n)?
    Answer: y

    Commencing the fuzz ....

    starting fuzzing method (authenticateUser)

    <<< Baseline XML Payload with Random data val's >>>

    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/1999/XMLSchema"
    >
    <SOAP-ENV:Body>
    <authenticateUser SOAP-ENC:root="1">
    <v1 xsi:type="xsd:string">xdeiykUzTnXTlFPrEiyJvAszywDojsxbAQNDxVnysdjJrQKCYqGsrNeTQaHWfAZIuhcrohfygMilBDCTCJRGvplQi</v1>
    <v2 xsi:type="xsd:string">suDtTvYwFdbJxDSuvgnnUhzzXbsFrLQuTKfPPNTejarrVATMXUqD</v2>
    <v3 xsi:type="xsd:string">gGdVVAKWMmARMSBBlZhQdnBHzVVHGfgHwUoxFItflzKaTbxMNppRtWevzQxCJcXhdF</v3>
    </authenticateUser>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

    <<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Fuzzing completed for method (authenticateUser)

    And here is a snippet from the results output of the run above:

    Method Request Params IDS Evasion Response Http Info Round Trip
    authenticateUser {'in0': '/*', 'in1': '/*', 'in2': '/*'} None 0 HTTP Log 2.88 S
    authenticateUser {'in0': '\\00', 'in1': '\\00', 'in2': '\\00'} None 0 HTTP Log 276.2158 M

    Now here is a run utilizing one of the IDS Evasion techniques:

    Running WSFuzzer 1.9

    If you would like to establish the directory name for the
    results then type it in now (leave blank for the default): mytest

    0) Basic Discovery (faster but less accurate)
    1) Advanced Discovery (slower and more intrusive but more thorough and accurate)
    2) Advanced Discovery (like #1) with port scanning first

    Probe Type: 2

    Beginning TCP port for scan: 1

    Ending TCP port for scan: 9090

    Open TCP ports discovered for target localhost:
    [0] 80
    [0] 8080
    [0] 8088

    Pick one via numeric index (i.e. 1 for [1]): 0

    Would you like to Spider the target on top of the advanced probe: y
    Checking 10077696 maximum number of dir combo's based on a depth of 7

    Discovered WSDL links:
    0 => http://jboss_target.example.com/ws4ee/services/ERSService?wsdl
    1 => http://jboss_target.example.com/ws4ee/services/AuditService?wsdl
    2 => http://jboss_target.example.com/ws4ee/services/SyncService?wsdl
    3 => http://jboss_target.example.com/ws4ee/services/ThumbnailService?wsdl
    4 => http://jboss_target.example.com/ws4ee/services/OfficeDataService?wsdl
    5 => http://jboss_target.example.com/ws4ee/services/TestService?wsdl
    6 => http://jboss_target.example.com/ws4ee/services/LogsService?wsdl
    7 => http://jboss_target.example.com/ws4ee/services/LoginService?wsdl
    8 => http://jboss_target.example.com/ws4ee/services/AdminService?wsdl
    9 => http://jboss_target.example.com/ws4ee/services/VersionService?wsdl
    10 => http://jboss_target.example.com/ws4ee/services/UserService?wsdl
    11 => http://jboss_target.example.com/ws4ee/services/IKSService?wsdl
    12 => http://jboss_target.example.com/ws4ee/services/ExcelService?wsdl
    13 => http://jboss_target.example.com/ws4ee/services/AdminService2?wsdl
    14 => http://jboss_target.example.com/ws4ee/services/DirService?wsdl

    Please choose ONE link, via numeric index, from the above list
    7

    Method(0): authenticateUser
    Params:
    in0(string)
    in1(string)
    in2(string)

    Method(1): setToken
    Params:
    in0(string)

    Select the methods you want to Fuzz(ex: 0,1,2,3 or A for All)
    Methods: 0

    Would you like to attack all the chosen params simultaneously? n

    Method: authenticateUser
    Parameter: in0 Type: string

    Choose fuzz type(ex. 1)
    0) Do not fuzz this parameter
    1) Dictionary (One entry per line)
    FuzzType: 1

    Fuzzing using dictionary
    Input name of dictionary(full path): attack1.txt
    Dictionary Chosen: attack1.txt

    Would you like to enable automated fuzzing
    to augment what you have already chosen?
    This option generates a lot of traffic, mostly
    with a bad attitude &->
    Answer: y

    adding parameter
    Parameter: in1 Type: string

    Choose fuzz type(ex. 1)
    0) Do not fuzz this parameter
    1) Dictionary (One entry per line)
    FuzzType: 0

    Not fuzzing this param
    adding parameter
    Parameter: in2 Type: string

    Choose fuzz type(ex. 1)
    0) Do not fuzz this parameter
    1) Dictionary (One entry per line)
    FuzzType: 1

    Fuzzing using dictionary
    Input name of dictionary(full path): attack2.txt
    Dictionary Chosen: attack2.txt

    Would you like to enable automated fuzzing
    to augment what you have already chosen?
    This option generates a lot of traffic, mostly
    with a bad attitude &->
    Answer: n

    adding parameter

    Would you like to enable IDS evasion(y/n)?
    Answer: y
    Choose an option for IDS Evasion.
    0) null method processing - ** Windows targets only
    1) random URI (non-UTF8) encoding
    2) directory self-reference (/./)
    3) premature URL ending
    4) prepend long random string
    5) fake parameter
    6) TAB as request spacer
    7) random case sensitivity - ** Windows targets only
    8) directory separator (\) - ** Windows targets only
    10) URI (non-UTF8) encoding
    R) choose an option at random
    Option: 1

    Shall I begin Fuzzing(y/n)?
    Answer: y

    Commencing the fuzz ....
    starting fuzzing method (authenticateUser)

    Generated 6101 Attack Strings ...

    <<< Baseline XML Payload with Random data val's >>>

    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/1999/XMLSchema"
    >
    <SOAP-ENV:Body>
    <authenticateUser SOAP-ENC:root="1">
    <v1 xsi:type="xsd:string">xdeiykUzTnXTlFPrEiyJvAszywDojsxbAQNDxVnysdjJrQKCYqGsrNeTQaHWfAZIuhcrohfygMilBDCTCJRGvplQi</v1>
    <v2 xsi:type="xsd:string">suDtTvYwFdbJxDSuvgnnUhzzXbsFrLQuTKfPPNTejarrVATMXUqD</v2>
    <v3 xsi:type="xsd:string">gGdVVAKWMmARMSBBlZhQdnBHzVVHGfgHwUoxFItflzKaTbxMNppRtWevzQxCJcXhdF</v3>
    </authenticateUser>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

    <<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>

    Fuzzing completed for method (authenticateUser)

    And here is a snippet from the results output of the run above:

    Method Request Params IDS Evasion Response Http Info Round Trip
    authenticateUser {'in0': '/*', 'in1': None, 'in2': None} /L%75g%68%53e%72vic%65/%41o%74hS%65%72vic%65S%65rv%69%63%65 0 HTTP Log 276.2150 M
    authenticateUser {'in0': '\\00', 'in1': None, 'in2': None} /L%75%74i%53%65%72v%69%63%65/%41o%74%68Servi%63%65%53%65rv%69%63e 0 HTTP Log 2.88 S

    IDS Evasion info

    The following options are currently available for purposes of IDS Evasion:

    0) null method processing - ** Windows targets only
    1) random URI (non-UTF8) encoding
    2) directory self-reference (/./)
    3) premature URL ending
    4) prepend long random string
    5) fake parameter
    6) TAB as request spacer
    7) random case sensitivity - ** Windows targets only
    8) directory separator (\) - ** Windows targets only
    10) URI (non-UTF8) encoding
    11) double percent hex encoding - ** Windows targets only
    12) double nibble hex encoding - ** Windows targets only
    13) first nibble hex encoding - ** Windows targets only
    14) second nibble hex encoding - ** Windows targets only
    R) choose an option at random

    Working with the following target URI: "/WSDigger_WS/WSDigger_WS.asmx" here is an idea of what the URI data would look like when in use for the HTTP POST's:

    • null method processing: %00%20/WSDigger_WS/WSDigger_WS.asmx

    • random URI (non-UTF8): /%57SDi%67g%65r%5fW%53/%57%53D%69gge%72_%57%53.asm%78
    • directory self-reference (/./): /./WSDigger_WS/./WSDigger_WS.asmx
    • premature URL ending: /%20HTTP/1.1%0D%0A%0D%0AAccept%3A%20PTdOoYWl2A/../../WSDigger_WS/WSDigger_WS.asmx
    • prepend long random string: /UCD8SiuHKgBhOrUmmdRtn15khQD17fWScHMz6Wa3x65ihPOzBPCkj2M3e4Lr0lwAYgx0zrDAh7ZOUlAqE1vHpqvIFKj2hHQjUS4VdyUyOewrIDnEsaX5
      WrpOYIphWuzZIT3J1nezbYxjwvg0R5u6QVbBJFiafkY2t5mIPexZd9Zwq9f9Nu3lHRJzRauoDP2VpewGimw9TVrcynp0NJFCEefV6ETCMbhdn9fUPC3dYN8
      MyubOeLQqOMWDKI4y35prsntMfGX2WWbRFii912f75zVuaYDOR5CxVopXT6bU7eDbCea8YSAZAWxdt0kuGtEmFbH46WXl6cInovsY3nLmTgZ77XX
      4JncWWatypv34az9iuMmr0GqyCgOuxLIW0600zGhTlAuZYf3I6rs0Lm4NHaEmLi7ZNdPywNV0IUs2Wwlu2EsbHcTXnNbZ00Za2ixKuIJGqVKTrgS7LhfP5e
      16rR2D9mvBWkxVXIHhj30iniGoHhRl1XPs2mnO0ROb6CS0Xy3Nquzv/../WSDigger_WS/WSDigger_WS.asmx
    • fake parameter: /eLCk3rV3v1.html%3fyW0TziI2SP=/..//WSDigger_WS/WSDigger_WS.asmx
    • TAB as request spacer: /WSDigger_WS/WSDigger_WS.asmx
    • random case sensitivity: /WSDiggER_WS/WSDIgGER_WS.AsmX
    • directory separator (\): /WSDigger_WS\WSDigger_WS.asmx
    • URI (non-UTF8): /%57%53%44%69%67%67%65%72%5f%57%53/%57%53%44%69%67%67%65%72%5f%57%53%2e%61%73%6d%78
    • double percent hex encoding: /%2557%2553%2544%2569%2567%2567%2565%2572%255f%2557%2553/%2557%2553%2544%2569%2567%2567%2565%2572%255f%2557%2553
      %252e%2561%2573%256d%2578
    • double nibble hex encoding: /%%35%37%%35%33%%34%34%%36%39%%36%37%%36%37%%36%35%%37%32%%35%66%%35%37%%35%33/%%35%37%%35%33%%34%34
      %%36%39%%36%37%%36%37%%36%35%%37%32%%35%66%%35%37%%35%33%%32%65%%36%31%%37%33%%36%64%%37%38
    • first nibble hex encoding: /%%357%%353%%344%%369%%367%%367%%365%%372%%35f%%357%%353/%%357%%353%%344%%369%%367%%367%%365%%372%%35f
      %%357%%353%%32e%%361%%373%%36d%%378
    • second nibble hex encoding: /%5%37%5%33%4%34%6%39%6%37%6%37%6%35%7%32%5%66%5%37%5%33/%5%37%5%33%4%34%6%39%6%37%6%37%6%35%7%32%5%66
      %5%37%5%33%2%65%6%31%7%33%6%64%7%38

    Download

    http://sourceforge.net/projects/wsfuzzer

    Known Issues

  • The SOAP/WSDL lib's this prog uses are known to have some issues consuming some WSDL's created within .NET infratsructures. It really depends on how the WSDL was generated but the WSDL consumption lib's choke on some of these .NET based sets of XML. This is entirely subjective because we have also seen it work successfully against many .NET targets. Moreover the --xml feature will help dramatically.
  • We have gotten reports from a few users stating that the automated fuzzing is causing client side memory errors. Admittedly the automated fuzzing generates a lot of data and is intense :-) But that is one of the MO's of attacks so this is not accidental. As of version 1.7 we have toned oone type of attack down a bit and it seems to be playing nicer. So keep us posted on these types of issues but remember that the point with some of these attack vectors is to break the rules and force anomalies in order to see how the server side target holds up. In other words dont write me complaining about the fact that the tool is generating and sending bad XML, yes that is one of the things this tool purposely does.

    Future Plans

    The future of WSFuzzer has the following in its path currently:

  • Pattern based attack vectors
  • More types of dynamic and intelligent XML content based attacks
  • AVDL export of result data
  • Other formats of final results output ......

    If you have any suggestions/feedback please send them to wsfuzzer [at] neurofuzz dot com.

    • 快速链接

    JSky
    Pangolin
    Pangolin帮助手册
    渗透测试

    投票

    赞助

    NOSEC所有开发的安全工具和资源都是免费的,以后也都会免费。如果您认为这些工具和资源对您有所帮助的话,您可以考虑进行一些赞助。您的支持将加快开发进度以及版本更新的速度,同时也能够让我们有动力开发更多的安全工具来支持您的工作 ;)
    赞助你们我有什么好处?

    用户登录