NeuroFuzz has released WSFuzzer Version 1.5, a pen testing tool that audits HTTP-based SOAP targets.
The program currently targets Web Services and includes the following features:
- It attacks a Web service based on either valid WSDL, a valid endpoint and namespace, or it can try to intelligently detect WSDL for a given target.
- It gives you the ability to handle methods with multiple parameters. Each parameter is handled as a unique entity and can either be attacked or left alone.
- The fuzz generation (attack strings) consists of a combination of a dictionary file and some dynamic large injection patterns.
- It provides the option of using some IDS evasion techniques, which makes for a powerful security infrastructure (IDS/IPS) testing experience.
The creators warn that WSFuzzer is a dangerous tool. You can easily bring down your target if it is susceptible to any of the attack vectors generated and sent in, they say. They also stress that WSFuzzer should be used only on targets that have given you permission to pen test their Web services and applications.
Requirements to run WSFuzzer:
- A working version of Python
- A working version of SOAPpy
The program has successfully been used in Linux, Mac OS X and Windows (using Active-State Python) environments.
For more information, visit http://www.neurofuzz.com/modules/software/wsfuzzer.php