Quick and Dirty Web Services Testing with Suds and Burp Suite

Quick and Dirty Web Services Testing with Suds and Burp Suite

Overview

This is a really simply example of using the Python Suds library to consume and inspect SOAP web services with integration into Burp Suite. I decided once upon a time that I didn’t think SoapUI was efficient for what I needed when it came testing web services and getting that data into Burp Suite, so I began searching for a simple Python library that could help me out. I will caveat that statement with, I always enjoy trying to write my own implementation of things, even if they aren’t the best, it helps with my overall objective -> Learning!

Getting Soapy

https://fedorahosted.org/suds/ – “Suds is a lightweight SOAP python client for consuming Web Services” So I stumbled upon Suds, which I must say is incredibly easy to use.  The best part about this library is that you can accomplish everything want from the console, which is always a plus.  Alright so in your Python console we want to import the Suds client and setup some logging so we can debug each web service request and response.

>>> from suds.client import Client

>>> import logging

>>> logging.basicConfig(level=logging.INFO)

>>> logging.getLogger('suds.client').setLevel(logging.DEBUG)

Now we need to setup some arguments for the suds client.  Things we will need – location of the web services descriptor file, and where Burp Suite is currently listening:

>>> url = "https://demowebservice/Auth.svc?wsdl"

>>> proxy = {}

>>> proxy['http'] = 'http://localhost:8080'

>>> proxy['https'] = 'https://localhost:8080'

Now the only thing we need to do is have our Suds client consume the web service with the arguments we setup and view the result.

>>> client = Client(url, proxy=proxy)

>>> print client

Suds ( https://fedorahosted.org/suds/ ) version: 0.4 GA build: R699-20100913

Service ( AuthenticationService ) tns="http://asp.net/ApplicationServices/v200"

Prefixes (1)

ns0 = "http://schemas.microsoft.com/2003/10/Serialization/"

Ports (1):

(BasicHttpBinding_AuthenticationService)

Methods (4):

IsLoggedIn()

Login(xs:string username, xs:string password, xs:string customCredential, xs:boolean isPersistent, )

Logout()

ValidateUser(xs:string username, xs:string password, xs:string customCredential, )

Types (3):

ns0:char

ns0:duration

ns0:guid

>>>

Alright, so all we have to do now is make sure Burp Suite is up and running, and call one of the methods provided to us in the web service.

>>> client.service.IsLoggedIn()

DEBUG:suds.client:sending to (https://demowebservice/Auth.svc)

message:

<?xml version="1.0" encoding="UTF-8"?>

<SOAP-ENV:Envelope xmlns_ns0="http://asp.net/ApplicationServices/v200" xmlns_ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

<SOAP-ENV:Header/>

<ns1:Body>

<ns0:IsLoggedIn/>

</ns1:Body>

</SOAP-ENV:Envelope>

DEBUG:suds.client:headers = {'SOAPAction': u'"http://asp.net/ApplicationServices/v200/AuthenticationService/IsLoggedIn"', 'Content-Type': 'text/xml; charset=utf-8'}

DEBUG:suds.client:http succeeded:

<s:Envelope xmlns_s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedInResponse xmlns="http://asp.net/ApplicationServices/v200"><IsLoggedInResult>false</IsLoggedInResult></IsLoggedInResponse></s:Body></s:Envelope>

False

>>>

Burp Suite

Nothing fancy, but it gets the job done.  Enjoy!

Integrated Application Security Testing

The status quo of “breaking things” is broken. Inconsistent methodologies, tool led approaches, and poorly scoped tests are coming up short in true risk mitigation. Most discouraging is that some of the largest organizations continue to subscribe to these approaches as part of their AppSec initiatives. If you are looking to achieve deeper results, supported by well-founded application threat models, you’ve found your security partner in VerSprite. Explore AppSec Services →