netspi / wsdler Goto Github PK

View Code? Open in Web Editor NEW

197.0 43.0 54.0 28.77 MB

WSDL Parser extension for Burp

Java 100.00%

wsdler's Introduction

Wsdler

WSDL Parser extension for Burp

How to Run

Download and install from the Burp App store.
Right-click on WSDL request and select Parse WSDL

The Wsdler tab should populate with the SOAP requests

(Older) Blog detailing how to use the Wsdler Plugin:

https://blog.netspi.com/hacking-web-services-with-burp/

How To Compile

I used IntelliJ to compile this plugin. However, Eclipse should work too.

Clone the repo and open the folder as a project in Intellij/Eclipse
Maven is used to retrieve dependencies. So import the pom.xml into Maven. For Intellij, this should happen automatically. You can see the dependencies by clicking the vertically aligned Maven Projects tab on the right side of the window.
You should now be able to compile the plugin. Make sure that when you are building, a jar file gets created. In Intellij, select File > Project Structure > Artifacts > Plus Sign > Jar > From modules with dependencies > OK and check the Build on make checkbox. That should be it. Again, the process should be similar in Eclipse.

wsdler's People

Contributors

Stargazers

Watchers

wsdler's Issues

SSL Redirect

An error occurs when importing schema content from the wsdl that redirects from http to https.

SSL Ciphers

An error occurs when a server requires specific SSL ciphers.

The text is too large for the display area of the Wsdler tab on my Burp instance. I think this is because I have made Burp's default font larger than default and Wsdler uses fixed height entries for this view? I'm not sure. Here's an example of the output:

Fails (HTTP 401) if Basic Authentication required to access URL's in XSD

Below is stack trace obtained from verbose version of wslder

Get Error: Can’t parse WSDL.
java.exe -jar c:\Software\Sectools\burpsuite_pro_v1.6.39.jar
org.reficio.ws.SoapBuilderException: WSDLException (at /definitions/types/xsd:schema[2]): faultCode=OTHER_ERROR: An error occurred trying to resolve schema referenced at 'https://XXX:7012/CASSupplierWS-WebService-context-root/SupplierServicePort?xsd=1', relative to 'file:/C:/Users/XXX/AppData/Local/Temp/temp9084373454376035251.wsdl'.: java.io.IOException: Server returned HTTP response code: 401 for URL: https://XXX:7012/CASSupplierWS-WebService-context-root/SupplierServicePort?xsd=1
at org.reficio.ws.builder.core.Wsdl.(Wsdl.java:52)
at org.reficio.ws.builder.core.Wsdl.parse(Wsdl.java:64)
at burp.WSDLParser.parseWSDL(WSDLParser.java:75)
at burp.Worker.doInBackground(Menu.java:101)
at burp.Worker.doInBackground(Menu.java:74)
at javax.swing.SwingWorker$1.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at javax.swing.SwingWorker.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.wsdl.WSDLException: WSDLException (at /definitions/types/xsd:schema[2]): faultCode=OTHER_ERROR: An error occurred trying to resolve schema referenced at 'https://XXX:7012/CASSupplierWS-WebService-context-root/SupplierServicePort?xsd=1', relative to 'file:/C:/Users/XXX/AppData/Local/Temp/temp9084373454376035251.wsdl'.: java.io.IOException: Server returned HTTP response code: 401 for URL: https://XXX:7012/CASSupplierWS-WebService-context-root/SupplierServicePort?xsd=1
at com.ibm.wsdl.xml.WSDLReaderImpl.parseSchema(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.parseSchema(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.parseTypes(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.parseDefinitions(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.reficio.ws.legacy.SoapMessageBuilder.(SoapMessageBuilder.java:98)
at org.reficio.ws.legacy.SoapLegacyFacade.(SoapLegacyFacade.java:47)
at org.reficio.ws.builder.core.Wsdl.(Wsdl.java:50)
... 10 more
Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL:
https://XXX:7012/CASSupplierWS-WebService-context-root/SupplierServicePort?xsd=1
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at java.net.URL.openStream(Unknown Source)
at com.ibm.wsdl.util.StringUtils.getContentAsInputStream(Unknown Source)

    ... 22 more

Needs an update

Doesnt seem to work on 2023.5.4

Not a WSDL

Just installed Wsdler from BApp Store and following the steps from here https://blog.netspi.com/hacking-web-services-with-burp/ I'm always getting the "Parsing WSDL" and after that the error "Not a WSDL". The same WSDL can be parsed by SoapUI without any problem.
Is there a log or debug mode?

Broken parsing - wrong host

Hi there,

I've encountered it several times already that the hostname and port where requests are sent to are wrong. In my current example this leads to a fully unusable extension. After parsing the WSDL, it will fetch the XSD from the server. The XSD has a reference:

<xsd:import namespace="http://www.w3.org/2005/05/xmlmime"

However, the extension then fetches /2005/05/xmlmime from the server where the WSDL is located instead of www.w3.org. Of course that results in a 403 HTML response and then the parser fails with:

WSDLException (at /wsdl:definitions/wsdl:types/xsd:schema/xsd:schema): faultCode=PARSER_ERROR: Problem parsing 'http://www.w3.org/2005/05/xmlmime'.: org.xml.sax.SAXParseException: The element type "meta" must be terminated by the matching end-tag "</meta>".

Looks like the parsing logic here is wrong:

Wsdler/src/main/java/burp/WSDLParser.java

Line 145 in 102d9de

String host = getHost(builder.getServiceUrls().get(0));

Workaround:

Had to proxy Burp through Burp and intercept HTTP responses, then simply replace the 404 status code with 200 and paste the XML response of view-source:https://www.w3.org/2005/05/xmlmime

Select multiple WSDL requests to parse and do active scan

I have forked this rep and edit it to support "Select multiple WSDL requests to parse and do active scan"

https://github.com/bit4woo/Wsdler

but I have change something more than that, so it's not convenient to create pull request ...

Add support for variables

When WSDL is parsed, it's rarely populated with proper data. If there could be a support for rewriting of data, e.g. to populate <username></username> tags with specific value, like test, and then apply it to all the requests, it would be perfect:) Usually such tags are shared by multiple requests.

BApp was revoked

I've been attempting to install this BApp but I'm getting a "BApp was revoked" message and I can no longer install Wsdler. Will it be coming back to the BApp store?

Thanks.

Compiling using Maven alone does not work

I don't want to use Eclipse or IntelliJ to compile Java applications. I typically use

mvn clean compile package

to build things. This resulted in a "BUILD SUCCESS"

[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ wsdler ---
[INFO] Building jar: /Users/vanderaj/src/Wsdler/target/wsdler-2.0-SNAPSHOT.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 11.953 s
[INFO] Finished at: 2015-05-12T11:14:32+10:00
[INFO] Final Memory: 22M/157M
[INFO] ------------------------------------------------------------------------

This produced a .jar file that didn't contain the SOAP-WS SoapBuilder classes, so I think dependencies are somehow missing in this build.

Here's the contents of the resulting jar file:

jar tvf wsdler-2.0-SNAPSHOT.jar
0 Tue May 12 11:14:34 EST 2015 META-INF/
133 Tue May 12 11:14:32 EST 2015 META-INF/MANIFEST.MF
0 Tue May 12 11:14:32 EST 2015 burp/
0 Tue May 12 11:14:30 EST 2015 org/
0 Tue May 12 11:14:30 EST 2015 org/reficio/
0 Tue May 12 11:14:32 EST 2015 org/reficio/ws/
0 Tue May 12 11:14:32 EST 2015 org/reficio/ws/annotation/
0 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/
0 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/
0 Tue May 12 11:14:30 EST 2015 xsds/
695 Tue May 12 11:14:32 EST 2015 burp/BurpExtender.class
888 Tue May 12 11:14:32 EST 2015 burp/ButtonTabComponent$1.class
962 Tue May 12 11:14:32 EST 2015 burp/ButtonTabComponent$2.class
2819 Tue May 12 11:14:32 EST 2015 burp/ButtonTabComponent$TabButton.class
1673 Tue May 12 11:14:32 EST 2015 burp/ButtonTabComponent.class
2898 Tue May 12 11:14:32 EST 2015 burp/EachRowEditor.class
183 Tue May 12 11:14:32 EST 2015 burp/IBurpExtender.class
6230 Tue May 12 11:14:32 EST 2015 burp/IBurpExtenderCallbacks.class
295 Tue May 12 11:14:32 EST 2015 burp/IContextMenuFactory.class
995 Tue May 12 11:14:32 EST 2015 burp/IContextMenuInvocation.class
225 Tue May 12 11:14:32 EST 2015 burp/ICookie.class
1317 Tue May 12 11:14:32 EST 2015 burp/IExtensionHelpers.class
166 Tue May 12 11:14:32 EST 2015 burp/IExtensionStateListener.class
176 Tue May 12 11:14:32 EST 2015 burp/IHttpListener.class
461 Tue May 12 11:14:32 EST 2015 burp/IHttpRequestResponse.class
293 Tue May 12 11:14:32 EST 2015 burp/IHttpRequestResponsePersisted.class
312 Tue May 12 11:14:32 EST 2015 burp/IHttpRequestResponseWithMarkers.class
197 Tue May 12 11:14:32 EST 2015 burp/IHttpService.class
752 Tue May 12 11:14:32 EST 2015 burp/IInterceptedProxyMessage.class
201 Tue May 12 11:14:32 EST 2015 burp/IIntruderAttack.class
224 Tue May 12 11:14:32 EST 2015 burp/IIntruderPayloadGenerator.class
287 Tue May 12 11:14:32 EST 2015 burp/IIntruderPayloadGeneratorFactory.class
224 Tue May 12 11:14:32 EST 2015 burp/IIntruderPayloadProcessor.class
280 Tue May 12 11:14:32 EST 2015 burp/IMenuItemHandler.class
280 Tue May 12 11:14:32 EST 2015 burp/IMessageEditor.class
233 Tue May 12 11:14:32 EST 2015 burp/IMessageEditorController.class
357 Tue May 12 11:14:32 EST 2015 burp/IMessageEditorTab.class
223 Tue May 12 11:14:32 EST 2015 burp/IMessageEditorTabFactory.class
558 Tue May 12 11:14:32 EST 2015 burp/IParameter.class
182 Tue May 12 11:14:32 EST 2015 burp/IProxyListener.class
745 Tue May 12 11:14:32 EST 2015 burp/IRequestInfo.class
422 Tue May 12 11:14:32 EST 2015 burp/IResponseInfo.class
491 Tue May 12 11:14:32 EST 2015 burp/IScanIssue.class
552 Tue May 12 11:14:32 EST 2015 burp/IScannerCheck.class
929 Tue May 12 11:14:32 EST 2015 burp/IScannerInsertionPoint.class
322 Tue May 12 11:14:32 EST 2015 burp/IScannerInsertionPointProvider.class
164 Tue May 12 11:14:32 EST 2015 burp/IScannerListener.class
347 Tue May 12 11:14:32 EST 2015 burp/IScanQueueItem.class
155 Tue May 12 11:14:32 EST 2015 burp/IScopeChangeListener.class
262 Tue May 12 11:14:32 EST 2015 burp/ISessionHandlingAction.class
191 Tue May 12 11:14:32 EST 2015 burp/ITab.class
238 Tue May 12 11:14:32 EST 2015 burp/ITempFile.class
383 Tue May 12 11:14:32 EST 2015 burp/ITextEditor.class
1722 Tue May 12 11:14:32 EST 2015 burp/Menu$1.class
1917 Tue May 12 11:14:32 EST 2015 burp/Menu.class
759 Tue May 12 11:14:32 EST 2015 burp/Worker$1.class
3020 Tue May 12 11:14:32 EST 2015 burp/Worker.class
902 Tue May 12 11:14:32 EST 2015 burp/WSDLEntry.class
7951 Tue May 12 11:14:32 EST 2015 burp/WSDLParser.class
1393 Tue May 12 11:14:32 EST 2015 burp/WSDLParserTab.class
1637 Tue May 12 11:14:32 EST 2015 burp/WSDLTab$WSDLTable.class
4669 Tue May 12 11:14:32 EST 2015 burp/WSDLTab.class
435 Tue May 12 11:14:32 EST 2015 org/reficio/ws/annotation/ThreadSafe.class
1371 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/FileWriter.class
231 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/ResourceUtils$1.class
728 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/ResourceUtils$Path.class
5222 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/ResourceUtils.class
2213 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/SimpleValuesProvider.class
9432 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/Wsdl11Writer.class
7261 Tue May 12 11:14:32 EST 2015 org/reficio/ws/common/XmlUtils.class
4141 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/AbstractSoapVersion.class
1221 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/Constants.class
341 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/DefinitionLoader.class
29237 Tue May 12 11:14:30 EST 2015 org/reficio/ws/legacy/SampleXmlUtil.class
2857 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SchemaDefinitionWrapper.class
329 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SchemaLoader.class
16835 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SchemaUtils.class
1162 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SoapLegacyFacade$Soap.class
6900 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SoapLegacyFacade.class
19796 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SoapMessageBuilder.class
1182 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SoapVersion$Utils.class
1505 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SoapVersion.class
4949 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SoapVersion11.class
4808 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/SoapVersion12.class
1570 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/UrlSchemaLoader.class
1275 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/WsdlContext.class
2131 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/WsdlSettings.class
890 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/WsdlUtils$Soap11Header.class
902 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/WsdlUtils$Soap12Header.class
307 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/WsdlUtils$SoapHeader.class
15473 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/WsdlUtils.class
18844 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/WsdlValidator.class
991 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/XmlUtils$ElementNodeList.class
13919 Tue May 12 11:14:32 EST 2015 org/reficio/ws/legacy/XmlUtils.class
743 Tue May 12 11:14:32 EST 2015 org/reficio/ws/SoapBuilderException.class
2020 Tue May 12 11:14:32 EST 2015 org/reficio/ws/SoapContext$ContextBuilder.class
2452 Tue May 12 11:14:32 EST 2015 org/reficio/ws/SoapContext.class
718 Tue May 12 11:14:32 EST 2015 org/reficio/ws/SoapException.class
301 Tue May 12 11:14:30 EST 2015 org/reficio/ws/SoapMultiValuesProvider.class
1218 Tue May 12 11:14:32 EST 2015 org/reficio/ws/SoapValidationException.class
759 Tue May 12 11:14:30 EST 2015 xsds/license.txt
16935 Tue May 12 11:14:30 EST 2015 xsds/soapEncoding.xsd
17141 Tue May 12 11:14:30 EST 2015 xsds/soapEncoding12.xsd
6128 Tue May 12 11:14:30 EST 2015 xsds/soapEnvelope.xsd
5751 Tue May 12 11:14:30 EST 2015 xsds/soapEnvelope12.xsd
3983 Tue May 12 11:14:30 EST 2015 xsds/swaref.xsd
1428 Tue May 12 11:14:30 EST 2015 xsds/xmime200411.xsd
1606 Tue May 12 11:14:30 EST 2015 xsds/xmime200505.xsd
5835 Tue May 12 11:14:30 EST 2015 xsds/xml.xsd
86609 Tue May 12 11:14:30 EST 2015 xsds/XMLSchema.xsd
480 Tue May 12 11:14:30 EST 2015 xsds/xop.xsd
0 Tue May 12 11:14:34 EST 2015 META-INF/maven/
0 Tue May 12 11:14:34 EST 2015 META-INF/maven/com.netspi.wsdler/
0 Tue May 12 11:14:34 EST 2015 META-INF/maven/com.netspi.wsdler/wsdler/
1178 Mon May 11 17:34:40 EST 2015 META-INF/maven/com.netspi.wsdler/wsdler/pom.xml
115 Tue May 12 11:14:32 EST 2015 META-INF/maven/com.netspi.wsdler/wsdler/pom.properties

Here's an except of a stack trace from within Burp when I click on a request and try to Parse WSDL.

java.lang.NoClassDefFoundError: org/reficio/ws/builder/SoapOperation
at burp.Menu$1.mousePressed(Menu.java:39)
at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:280)
at java.awt.Component.processMouseEvent(Component.java:6522)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3321)
at java.awt.Component.processEvent(Component.java:6290)
at java.awt.Container.processEvent(Container.java:2234)
at java.awt.Component.dispatchEventImpl(Component.java:4881)
at java.awt.Container.dispatchEventImpl(Container.java:2292)
at java.awt.Component.dispatchEvent(Component.java:4703)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4898)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4530)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4462)
at java.awt.Container.dispatchEventImpl(Container.java:2278)
at java.awt.Window.dispatchEventImpl(Window.java:2739)
at java.awt.Component.dispatchEvent(Component.java:4703)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:746)
at java.awt.EventQueue.access$400(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:697)
at java.awt.EventQueue$3.run(EventQueue.java:691)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:86)
at java.awt.EventQueue$4.run(EventQueue.java:719)
at java.awt.EventQueue$4.run(EventQueue.java:717)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:716)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
Caused by: java.lang.ClassNotFoundException: org.reficio.ws.builder.SoapOperation
at java.net.URLClassLoader$1.run(URLClassLoader.java:372)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:360)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 33 more

Thoughts?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.