NetSPI Blog

Hacking Web Services with Burp

Eric Gruber
March 5th, 2013

WSDL (Web Services Description Language) files are XML formatted descriptions about the operations of web services between clients and servers. They contain possible requests along with the parameters an application uses to communicate with a web service. This is great for penetration testers because we can test and manipulate web services all we want using the information from WSDL files. One of the best tools to use for working with HTTP requests and responses for applications is Burp. The only downside with Burp is that it does not natively support parsing of WSDL files into requests that can be sent to a web service. A common work around has been to use a tool such as Soap-UI and proxy the requests to Burp for further manipulation. I’ve written a plugin for Burp that takes a WSDL request and parses out the operations that are associated with the targeted web service and creates SOAP requests which can then be sent to a web service. This plugin builds upon the work done by Tom Bujok and his soap-ws project which is essentially the WSDL parsing portion of Soap-UI without the UI.

The Wsdler plugin along with all the source is located at the Github repository here: https://github.com/NetSPI/Wsdler.

Wsdler Requirements

  1. Burp 1.5.01 or later
  2. Must be run from the command line

Starting Wsdler

The command to start Burp with the Wsdler plugin is as follows:
java -classpath Wsdler.jar;burp.jar burp.StartBurp

Sample Usage

Here we will intercept the request for a WSDL file belonging to an online store in Burp.

After the request for the WSDL has been intercepted, right click on the request and select Parse WSDL.

 

A new Wsdler tab will open with the parsed operations for the WSDL, along with the bindings and ports for each of the operations. Operations are synonymous with the requests that the application supports. There are two operations in this WSDL file, OrderItem and CheckStatus. Each of these operations has two bindings, for simplicity’s sake, bindings describe the format and protocol for each of the operations. The bindings for both of the operations are InstantOrderSoap and InstantOrderSoap12. The reason there are two bindings for each of the operations is because the WSDL file supports the creation of SOAP 1.1 and 1.2 requests. Finally, the ”Port” for each of the operations is essentially just the URL the request will be sent to. The full specification for each of the Objects in WSDL files can be read here: http://www.w3.org/TR/wsdl.

 

The SOAP requests for the operations will be in the lower part of the Burp window. The parsing functionality will also automatically fill in the data type for each of the parameters in the WSDL operation. In this example, strings are filled in with parts of the Aeneid and integers are filled in with numbers.

The request that Wsdler creates is a standard Burp request, so it can be sent to any other Burp function that accepts requests (intruder, repeater, etc.).

Here the request is sent to intruder for further testing. Because the request is XML, Burp automatically identifies the parameters for intruder to use.

 Conclusion

Currently, the plugin only supports WSDL specification 1.1, but there is work on supporting 1.2 / 2.0. Also, I will be adding the option to specify your own strings and integers when the plugin automatically fills in the appropriate data type for each of the parameters in the parsed operations. If there are any bugs or features that you would like to see added, send me an email or create a ticket on Github.

38
Leave a Reply

avatar
23 Comment threads
15 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
NikhilJustinJonigSam Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest
Notify of
Anonymous
Guest
Anonymous

Using free burp edition 1.5, JRE 1.7 and Windows 7 64bit. Downloaded Wsdler from https://github.com/NetSPI/Wsdler/archive/master.zip. Burp starts with above given cmd but without the ‘WSDLer’ option. Alert section displays several errors, most with “BurpExtender class do not implement method..”. One Exception: Exception thrown by BurpExtenderCallbacks(): java.lang.AbstractMethodError: burp.x4.getHelpers()Lburp/IExtensionHelpers; Kindly Suggest.

Raja Mukherjee
Guest
Raja Mukherjee

How the plugin “Wsdler.jar” can be downloaded from the website. The executable link is giving no reference to download it. After downloading the file, where we have to store it. Please help me in shorting out these queries.

Bhaumik
Guest
Bhaumik

There was an issue in the downloaded Wsdler.jar. Now after downloading again, once I write the command, the burp is not poping up and not even any error displayed at prompt. I dont know how to proceed.

Bhaumik
Guest
Bhaumik

Hi, I followed the same steps. After running the following command java -classpath Wsdler.jar;burp.jar burp.StartBurp I can see the Burp but when I intercepted the requests and right click on it there is no options called Parse WSDL. i kept my Burp pro 1.5.07 and wsdlr.jar in same folder.

Arvind
Guest
Arvind

Thanks…hopefully no more chaining SoapUI to Burp then 🙂

Steve
Guest
Steve

This looks fantastic – thanks. For some reason when I run it I get the following error on Ubuntu, which is probably my own doing, but I can’t figure it out and would appreciate any help possible: burp.jar: command not found Both .jar files are in the same folder, and it seems that no matter what comes after the ; can’t be found. Thanks

Raja Mukherjee
Guest
Raja Mukherjee

Hi Eric, Thanks for your inputs again. Could you please give step by step approach to install the plugin and also how to use the tool. Thanks and Regards Raja Mukherjee 09552052335

Bhaumik
Guest
Bhaumik

Hi Eric, I downloaded the plugin from https://github.com/NetSPI/Wsdler/archive/master.zip location. And I have burp version burpsuite_free_v1.5. And kept Burp & WSDL.jar in same folder. I entered below command D:\Burp>java -classpath Wsdler.jar;burpsuite_free_v1.5.jar burp.StartBurp. But After that nothing happens. Burp is not starting. And if I remove the Wsdl.jar from command then Burp is getting loading. Please suggest.

Mehran
Guest
Mehran

How can i run on BackTrack ?

BG
Guest
BG

You can also “Add” the Wsdler.jar file directly into burp under the “Extender” tab. This works on Kali Linux running Burp Suite Pro 1.5.14. Great extension Eric Thank you.

Pittman
Guest
Pittman

I got the extension to load this way as well. Intercepting the request for a WSDL and selecting the Parse WSDL option creates a subtab in the Wsdler tab, however, there is nothing inside the subtab.

I’m testing this by trying to pull down the Amazon S3 WSDL: http://s3.amazonaws.com/doc/2006-03-01/AmazonS3.wsdl

will
Guest
will

Nice work. This is very helpful!

Jack
Guest
Jack

So you “java -classpath Wsdler.jar;burp.jar burp.StartBurp” returns a “Error: Could not find or load main class burpsuite_pro_v1.5.08.jar”, but if you add the -jar to the command, aka “java -classpath Wsdler.jar; -jar burp.jar burp.StartBurp”, then burp runs without any problems. Except it doesn’t have the Parse Wsld button when you right click. Hmmmm… I’m not sure what I’m doing wrong

Jack
Guest
Jack

So I figured out my problem. I was getting the error: “could not find or load main class” because I had a space after the semi-colon. For the command: “java -classpath Wsdler.jar;burp.jar burp.StartBurp”, you cannot have a space between the Wsdler.jar;burp.jar. It all must be one concatenated chunk of characters.

BC
Guest
BC

So I downloaded the plugin from https://github.com/NetSPI/Wsdler/archive/master.zip. It looks like it’s correct size.

I tried adding it through the Extender, but as you have explained it doesn’t work this way.

After adding it to Burp with: java -classpath ./Wsdler.jar:./burp.jar burp.StartBurp. the Wsdler appears, but when I click “Parse WSDL” and go to the Wsdler tab, nothing appears there. Any ideas ?

Raja Mukherjee
Guest
Raja Mukherjee

I am unable to download the .jar file. I want to know the exact link where from I can download the file and the respective jar file.

Please share the same over my email. The link that is mentioned in the email is not working properly and there are many jar file in the SRC folder.

So please help me out to star the testing with BURP

Raja Mukherjee
Guest
Raja Mukherjee

I have downloaded the file : – Wsdler-master on the desktop. I have copied the file :- wsdler.jar from the executable folder that is present inside the Wsdler-master folder and then paste it inside the Burp folder. I ran the command that is java -classpath Wsdler.jar;burp.jar burp.StartBurp from the command prompt in windows OS. The burp interface gets open. But When i fired the webservice request and captured in the proxy tool, I am unable to view the plugin “parse wsdl” in the right click option. The above process that I have stated is correct way of testing or it… Read more »

Raja Mukherjee
Guest
Raja Mukherjee

Hi,

I have downloaded the file of Wsdler.jar and copied in the folder of burp. But when I run the command from the terminal that you have mentioned in your portal, Burp opens but the Wsdler.Jar file does not opens. I am using the free version of Burp. Is there and limitation with free version.

If not then please mail me the steps to test it.

Its urgent

dduck
Guest
dduck

For Debian/Ubuntu, once and for all:
1. Download wsdler and burpsuite
2. put them in one folder
3. open console and type:
$ java -classpath Wsdler.jar:burp.jar burp.StartBurp

I have no idea why it’s called ‘legacy’ and why it doesn’t work when I try to import Wsdler as an extension. Any ideas?

ruediger
Guest
ruediger

I’m getting extreme high CPU-load when using Parse WSDL via context menu. my whole machine locks up, until i kill burp. im on linux 64bit, java 7. The extension worked fine one day. next day i can’t get it to work again.
i start it via:
java -classpath “Wsdler.jar:burpsuite_pro_v1.6.01.jar” burp.StartBurp

any ideas?

Sam
Guest
Sam

I am running on Windows 7 64-bit, Java 7 update 67 32-bit, latest version of BurpSuite Pro.

java -classpath Wsdler.jar;burpsuite_pro_v1.6.05.jar burp.StartBurp

No errors in the cmd window, but when I right click on a request for a WSDL in Burp the option does not appear. Any suggestions?

Jon
Guest
Jon

Sam, it worked for me to just start Burp 1.6.05 normally, then add the Wsdler.jar in the ‘Extender’ tab.

ig
Guest
ig

Same here, trying with burpsuite_pro_v1.5.11.jar, burpsuite_pro_v1.6.01.jar, burpsuite_pro_v1.6.05.jar, no success with command:
java -classpath Wsdler.jar;burpsuite_pro_v1.6.05.jar burp.StartBurp
nor
java -classpath “Wsdler.jar;burpsuite_pro_v1.6.05.jar” burp.StartBurp

Burp starts, but no WSDL option i ncontext menu.
Win 8.1 Pro 64-bit, Java build 1.7.0_65-b20

Justin
Guest
Justin

Hi Eric,

I just wanted to thank you for making such a helpful tool. I’m new to the arena of web services but have measurable experience with web applications, so this is really lessening the learning curve. I’ve had this running by following your instructions on both 64bit Doze 7 and 64bit Kali, but I did experience some oddities on Windows. This is likely some strange configuration I’ve made in the past.

It worked like a charm in Kali using the following command:

java -classpath Wsdler.jar:burp.jar burp.StartBurp

Nikhil
Guest
Nikhil

Got the wsdler from Bapp store, but on clicking “Parse the WSDL”, getting Error : Can’t Parse WSDL.

Nothing on wsdler tab, no output or error in Extender’s wsdler screen.
Burp: v1.6.22 Pro
Java: 1.7.0_75
Win 7 enterprise

Any leads or ways to troubleshoot this ?

Nikhil
Guest
Nikhil

Already running burp via cmdline with lots of memory, but nothing on command line

java.exe -XX:MaxPermSize=2G -jar burpsuite_pro_v1.6.22.jar