Yalçın YOLALAN edited this page Sep 27, 2018 · 1 revision

USAGE OF WSSAT

1) Scanning SOAP Web Service(s)

• Click the “Select WSDL List File” button and select the WSDL list file. WSDL list file contains WSDL urls and basic authentication username and password separated with "|" symbol.
"#" symbol indicates comment out the line.

Sample WSDL File:

Sample WSDL List File

File Selection Screen:

WSSAT - First Screen

• Click the “Scan SOAP Service(s)” button to starts the scan process. By default, both static, dynamic and information disclosure scan check boxes are selected but the user could change selection according to his/her preference.

Custom SOAP Tag(s) Entry Screen:

WSSAT - SOAP Tag Entry

• Custom SOAP Header tags such as session token can be added from this screen. These tags will be included to each SOAP request.

2) Scanning REST API

• Click the “Scan REST Service” button to enter REST API information from the screen below:

WSSAT - Rest API Scan

  • URL: Enter API url. Replace parameter values with $int$, $string$, $double$, $decimal$, $bool$ that you want to attack.
    Ex: http://[yourhostname]/$int$/test/$string$/?param=$double$&&param2=$bool$
  • Method: Select HTTP request method from dropdown (GET, POST, PUT, DELETE).
  • Post Data: Enter Post Data if exists.
    Ex:
    { "Id":$int$,
    "Name":$string$,
    "Age":$int$,
    "Cars":[ $string$, $string$, $string$ ]
    }
    Note that all parameter values must be replaced with $int$, $string$, $double$, $decimal$, $bool$.
  • Try To Format JSON Post Data: Click this button to replace parameter values with $int$, $string$, $double$, $decimal$, $bool$.
    Ex: This JSON string
    {
    "Id":123,
    "Name":"John",
    "Age":35,
    "Cars":[ "Ford", "Toyota", "Fiat" ]
    }
    will be automatically formatted to:
    {
    "Id":$int$,
    "Name":$string$,
    "Age":$int$,
    "Cars":[ $string$, $string$, $string$ ]
    }
  • Content Type: Select HTTP request content type from dropdown (application/json, multipart/form-data, ...).
  • Basic Authentication: Enter basic authentication username and password if exist.

3) Reporting & Logging

• When the scan finished, HTML report is generated and automatically launched on browser. If “Create XML Report” check box is selected, an XML report is generated as well. Find HTML and XML report files under "Working Dir.\Last Created Folder (i.e. 20180327170503 - "yyyyMMddHHmmss" format)\Report" directory.

• You can modify HTML report format by editing "Working Dir.\ReportTemplates\HTMLReportTemplate.html" file.

• If “Debug” check box is selected on WSSAT main screen, all requests and responses are logged into Logs folder. Find log and exception files under "Working Dir.\Last Created Folder (i.e. 20180327170503 - "yyyyMMddHHmmss" format)\Logs" directory.

Report Sample:

WSSAT - Sample Report

4) Vulnerability Management

• You can add, update or delete vulnerabilities by just editing XML files located under "WSSAT\WSSAT\XML" directory.

5) Customizing Request Headers

• Click the “Scan->Add Custom Request Header” menu item to customize User-Agent and enter optional custom request header item such as Cookie value from the screen below:

WSSAT - Add Custom Request Header

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.