Skip to content

auxiliary enum soap_request

cktricky edited this page Apr 12, 2011 · 10 revisions

Author(s):

cktricky

Description:

This forms a single soap request in the appropriate envelope and displays the response.

Module Options:

PARAM                                       true       The parameter which corresponds to the action
PASS                                        false      Specify a password
PROXYA                                      false      Proxy IP Address
PROXYP                                      false      Proxy Port Number
RACTION                                     true       Remote Action. Ex: GetUserID
RURL      http://www.example.com/test.php   true       Target address
USER                                        false      Specify a username
VALUE                                       true       Value to assign the parameter within the SOAP envelope

Options Explained (Module Specific):

This is how the request looks, this helps to demonstrate which of the options corresponds to an item in the request:

POST /WebGoat/services/WSDLScanning HTTP/1.1
Accept: */*
Content-Type: text/xml;charset=UTF-8
Soapaction: getCreditCard
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Length: 264
Host: 172.16.64.132:8088

<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:wsdl="http://172.16.64.132:8088/WebGoat/services/WSDLScanning"      
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><wsdl:getCreditCard><id>101</id></wsdl:getCreditCard>
</env:Body></env:Envelope>

PARAM -- In the request above, param comprises the <id></id> portion of the XML structure. The param and value pair are no different from most web protocol requests in that they go hand in hand.

VALUE -- The 101 value, between the <id></id> tags, is our VALUE option. To summarize:

set PARAM id
set VALUE 101 

RACTION -- RACTION or Remote Action, comprises the <wsdl:getCreditCard and </wsdl:getCreditCard> tags. You can provide either camelCase or snake_case. Example:

set RACTION getCreditCard
set RACTION get_credit_card

USER -- USER is the username that you'd like to provide for basic authentication.

PASS -- PASS is the password for basic authentication.

(both of these options make up the Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= value shown in the request)

set USER guest
set PASS guest

RURL -- RURL is generally not module specific but in this case it is to a degree. You need to provide the URL of the WSDL file OR a SOAP endpoint. Example:

set RURL http://172.16.64.132:8088/WebGoat/services/WSDLScanning?WSDL                                             

Real world example:

The site www.example.com has a WSDL located at /ws/Proservices?WSDL. No username or password required. After using the module auxiliary/enum/wsdl_action_enum we've determined a get_user_id action exists. We want to test a known user id of 103. We have viewed the WSDL manually and determined that a uid parameter exists. Lets set the options:

set https://www.example.com/ws/Proservices?WSDL
set RACTION get_user_id
set PARAM uid
set VALUE 103
run
Clone this wiki locally