Quick and Dirty Web Services Testing with Suds and Burp Suite

This is a really simply example of using the Python Suds library to consume and inspect SOAP web services with integration into Burp Suite. I decided once upon a time that I didn’t think SoapUI was efficient for what I needed when it came testing web services and getting that data into Burp Suite, so I began searching for a simple Python library that could help me out. I will caveat that statement with, I always enjoy trying to write my own implementation of things, even if they aren’t the best, it helps with my overall objective -> Learning!
Getting Soapy
https://fedorahosted.org/suds/ – “Suds is a lightweight SOAP python client for consuming Web Services” So I stumbled upon Suds, which I must say is incredibly easy to use. The best part about this library is that you can accomplish everything want from the console, which is always a plus. Alright so in your Python console we want to import the Suds client and setup some logging so we can debug each web service request and response.
>>> from suds.client import Client >>> import logging >>> logging.basicConfig(level=logging.INFO) >>> logging.getLogger('suds.client').setLevel(logging.DEBUG)
Now we need to setup some arguments for the suds client. Things we will need – location of the web services descriptor file, and where Burp Suite is currently listening:
>>> url = "https://demowebservice/Auth.svc?wsdl" >>> proxy = {} >>> proxy['http'] = 'http://localhost:8080' >>> proxy['https'] = 'https://localhost:8080'
Now the only thing we need to do is have our Suds client consume the web service with the arguments we setup and view the result.
>>> client = Client(url, proxy=proxy) >>> print client Suds ( https://fedorahosted.org/suds/ ) version: 0.4 GA build: R699-20100913 Service ( AuthenticationService ) tns="http://asp.net/ApplicationServices/v200" Prefixes (1) ns0 = "http://schemas.microsoft.com/2003/10/Serialization/" Ports (1): (BasicHttpBinding_AuthenticationService) Methods (4): IsLoggedIn() Login(xs:string username, xs:string password, xs:string customCredential, xs:boolean isPersistent, ) Logout() ValidateUser(xs:string username, xs:string password, xs:string customCredential, ) Types (3): ns0:char ns0:duration ns0:guid >>>
Alright, so all we have to do now is make sure Burp Suite is up and running, and call one of the methods provided to us in the web service.
>>> client.service.IsLoggedIn() DEBUG:suds.client:sending to (https://demowebservice/Auth.svc) message: <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns_ns0="http://asp.net/ApplicationServices/v200" xmlns_ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <ns1:Body> <ns0:IsLoggedIn/> </ns1:Body> </SOAP-ENV:Envelope> DEBUG:suds.client:headers = {'SOAPAction': u'"http://asp.net/ApplicationServices/v200/AuthenticationService/IsLoggedIn"', 'Content-Type': 'text/xml; charset=utf-8'} DEBUG:suds.client:http succeeded: <s:Envelope xmlns_s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedInResponse xmlns="http://asp.net/ApplicationServices/v200"><IsLoggedInResult>false</IsLoggedInResult></IsLoggedInResponse></s:Body></s:Envelope> False >>>
Nothing fancy, but it gets the job done. Enjoy!
