Quick and Dirty Web Services Testing with Suds and Burp Suite | VerSprite Quick and Dirty Web Services Testing with Suds and Burp Suite | VerSprite

Quick and Dirty Web Services Testing with Suds and Burp Suite

Written By: Versprite

Cybersecurity Resources

Overview

This is a really simply example of using the Python Suds library to consume and inspect SOAP web services with integration into Burp Suite. I decided once upon a time that I didn’t think SoapUI was efficient for what I needed when it came testing web services and getting that data into Burp Suite, so I began searching for a simple Python library that could help me out. I will caveat that statement with, I always enjoy trying to write my own implementation of things, even if they aren’t the best, it helps with my overall objective -> Learning!

Getting Soapy

https://fedorahosted.org/suds/ – “Suds is a lightweight SOAP python client for consuming Web Services” So I stumbled upon Suds, which I must say is incredibly easy to use.  The best part about this library is that you can accomplish everything want from the console, which is always a plus.  Alright so in your Python console we want to import the Suds client and setup some logging so we can debug each web service request and response.

>>> from suds.client import Client
 
>>> import logging
 
>>> logging.basicConfig(level=logging.INFO)
 
>>> logging.getLogger('suds.client').setLevel(logging.DEBUG)

 

Now we need to setup some arguments for the suds client.  Things we will need – location of the web services descriptor file, and where Burp Suite is currently listening:

 

>>> url = "https://demowebservice/Auth.svc?wsdl"
 
>>> proxy = {}
 
>>> proxy['http'] = 'http://localhost:8080'
 
>>> proxy['https'] = 'https://localhost:8080'

Now the only thing we need to do is have our Suds client consume the web service with the arguments we setup and view the result.

>>> client = Client(url, proxy=proxy)
 
>>> print client
 
 
 
Suds ( https://fedorahosted.org/suds/ ) version: 0.4 GA build: R699-20100913
 
 
 
Service ( AuthenticationService ) tns="http://asp.net/ApplicationServices/v200"
 
    Prefixes (1)
 
       ns0 = "http://schemas.microsoft.com/2003/10/Serialization/"
 
    Ports (1):
 
       (BasicHttpBinding_AuthenticationService)
 
          Methods (4):
 
             IsLoggedIn()
 
             Login(xs:string username, xs:string password, xs:string customCredential, xs:boolean isPersistent, )
 
             Logout()
 
             ValidateUser(xs:string username, xs:string password, xs:string customCredential, )
 
          Types (3):
 
             ns0:char
 
             ns0:duration
 
             ns0:guid
 
 
 
>>>

 

Alright, so all we have to do now is make sure Burp Suite is up and running, and call one of the methods provided to us in the web service.

 

>>> client.service.IsLoggedIn()
 
DEBUG:suds.client:sending to (https://demowebservice/Auth.svc)
 
message:
 
<?xml version="1.0" encoding="UTF-8"?>
 
<SOAP-ENV:Envelope xmlns:ns0="http://asp.net/ApplicationServices/v200" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
 
   <SOAP-ENV:Header/>
 
   <ns1:Body>
 
      <ns0:IsLoggedIn/>
 
   </ns1:Body>
 
</SOAP-ENV:Envelope>
 
DEBUG:suds.client:headers = {'SOAPAction': u'"http://asp.net/ApplicationServices/v200/AuthenticationService/IsLoggedIn"', 'Content-Type': 'text/xml; charset=utf-8'}
 
DEBUG:suds.client:http succeeded:
 
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedInResponse xmlns="http://asp.net/ApplicationServices/v200"><IsLoggedInResult>false</IsLoggedInResult></IsLoggedInResponse></s:Body></s:Envelope>
 
False
 
>>>

Burp Suite

Nothing fancy, but it gets the job done.  Enjoy!

Integrated Application Security Testing

The status quo of “breaking things” is broken. Inconsistent methodologies, tool led approaches, and poorly scoped tests are coming up short in true risk mitigation. Most discouraging is that some of the largest organizations continue to subscribe to these approaches as part of their AppSec initiatives. If you are looking to achieve deeper results, supported by well-founded application threat models, you’ve found your security partner in VerSprite. Explore AppSec Services →

Receive Security News





We are an international squad of professionals working as one.

logos