WSFuzzer / News: Recent posts

It's been a while because we have been so busy with client projects. But version 1.9.5 has been in development for a while. It is in testing now and should be released very soon. For those of you kind enough to send me feature requests and such please reach out to me again so we ensure we don't miss anything.

WSFuzzer 1.9.4 has been released. There are numerous changes and dependencies so please read the release notes and install doc. WSDL Support is greatly enhanced and there are new output forms as well as modified existing ones.

Many thx to Shelly Saunders, Cynthia Gonzalez, & Christopher Elias for QA testing services.

Also, many thx to Marc Heuse & Achim Hoffmann for feedback that led to new or enhanced functionality.

We have created a Linkedin group for users of WSFuzzer. This way we can better inform you of developments and share ideas on SOAP pen testing, etc. Come join at: http://www.linkedin.com/e/gis/1192957

WSFuzzer is a fuzzing penetration testing tool used against HTTP SOAP based web services. It tests numerous aspects (input validation, XML Parser, etc) of the SOAP target. It is only to be used against targets that have granted permission to be tested.

1.9.3 brings some new features to the existing set. See the release notes for the details. Most of the new features were inspired by suggestions from Paco Hope, many thx to him for that.... read more

Version 1.9.2.1 has been released with some minor fixes in order to make some lib's Python 2.5 compatible. Many thx to the folks over at HP for finding and resolving the issues.

One small new feature was added at the request of a friend over in the EU. You can now set a value in the HTTP Host header that is different then the actual socket endpoint.

1.9.2 is out now with the following enhancements:

We have added support for the use of a proxy server. This is limited to HTTP for now, no HTTPS support yet. It's actually a limitation in the Py lib's but we will plug away at it.

HTTP Response Status Codes and some very basic statistics have been added to the HTML output.

The option of using conf files to augment the traditional interactive mode has been introduced.... read more

Version 1.9.1 introduces a new and improved handling of XML payloads in SOAP responses. Now the data you will see in the raw response text files will be more useful during your pen test analysis phases.

1.9 has a small fix for dealing with HTTPS situations. But it has a large new feature that uses known good xml payloads for a given target. This is ideal for dealing with targets where automated solutions (such as .Net services) just wont work.

Enjoy ...

1.8.5 includes a small new feature where each response is written out to its own text file. This makes life easier when analyzing raw responses. Now you dont have to sift through entire response payloads if all you are after is the raw response.

This release also includes a small fix for when you are using local file WSDL's as opposed to live URL WSDL's.

Enjoy ...

Version 1.8.4 introduces support for X.509 client-side certs and HTTP Basic Auth.

Under the hood version 1.8.3 is substantially different than previous versions. The major change comes in the form of the HTTP transport mechanism. WSFuzzer now uses its own XMLPost class as this mechanism as opposed to SOAPpy.

Another change has been implemented via the way the tarball is generated. Now the directory, with the version number included, is part of the tarball as opposed to just the files for WSFuzzer.

1.8.2 sports a new stopwatch feature so that each SOAP request/response round trip is measured. The measured time is then displayed in the resulting HTML.

Version 1.8.1 includes a new mode of attack called "simultaneous" where ALL chosen parameters are simultaneously injected with the given data set(s). This is different than the original "individual" mode where each parameters gets injected individually while the other chosen parameters are left alone.

Version 1.8 of WSFuzzer includes some small big fixes as well as some core restructuring. A new feature has been added by way of automated WSSE XML attacks. This is available if you choose the "automated fuzzing" option. One note on this option is that it will take a bit longer to generate the WSSE attack data due to its intensity and randomness so be patient and take a good look at the attack vectors it generates. - Enjoy

A few users reported mem errors when using the automated fuzzing. Admittedly the automated fuzzing functionality is somewhat aggressive so we toned down the area that seemd to be causing the errors. This wasnt happening to everyone and the change doesnt have a great negative impact on the fuzzing process.

Some automated XXE attacks were also added with verion 1.7.

Please continue to provide us with feedback and suggestions as that will only make WSFuzzer better for the entire sec community.

Version 1.6 of WSFuzzer has been released. The new release is based on the integration of a simple TCP port scanner.

Version 1.5.3 of WSFuzzer has been released.

Version 1.5.2 of WSFuzzer has been released.

Version 1.5.1 was released 5/1/2006. It includes a couple of bug fixes and a change to the automated fuzzing process, it is now optional. This release also includes the introduction of some XML based attack vectors. This will be developed further with subsequent releases.