Friday, November 14, 2008

[MoBP] SOAP parameter parsing

When you send a request to Intruder to perform custom automated attacks, it makes a guess at where you will want to place your attack payloads. By default, it places payload markers around the values of each URL and body parameter, and each cookie value. If you've ever tried to attack a SOAP request using Intruder, you'll know that this auto-placement doesn't help you very much.

In the new release, auto-placement also supports XML request bodies, and by default places payload markers around the values of each XML element and attribute. If you need to fuzz several SOAP requests, this will now be a simple task of sending each request to Intruder, and starting an attack using the default payload positions:

The new support for parameters in XML request bodies is used elsewhere within the new release, including automated vulnerability scanning, of which more shortly.


antisnatchor said...

no REST ? :(:(

I think that soap sucks so much that I don't want to lose my time testing it ;) joke

Anonymous said...

Awesome -- I was hoping you would add this feature! What about support for popular AJAX libraries and JSON data?

PortSwigger said...

Do people see JSON being used much in requests, as opposed to responses? I haven't very much myself. But I'm inclined (at some point) to implement support for all these unusual formats, because of the big occasional benefit it would bring.

Anonymous said...

OK, maybe not JSON but definitely AJAX. Burp Scanner could also be given the capability to recognize AJAX and alter his fuzz points appropriately.