WSFuzzer 1.9.3

WSFuzzer is a fuzzing penetration testing tool used against HTTP SOAP based web services.
WSFuzzer is capable of testing numerous aspects (XML Parser, input validation, etc) of the SOAP target.
In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work.
WSFuzzer is NOT meant to be a replacement for solid manual human analysis. Please view WSFuzzer as a tool to augment analysis performed by competent and knowledgable professionals. Web Services are not trivial in nature so expertise in this area is a must for proper pen testing.
WARNING: WSFuzzer is only to be used against targets that have granted permission to be tested.

Main features:
- Pen tests an HTTP SOAP web service based on either valid WSDL, known good XML payload, or a valid endpoint & namespace.
- It can try to intelligently detect WSDL for a given target.
- Includes a simple TCP port scanner.
- WSFuzzer has the ability to Fuzz methods with multiple parameters. There are 2 modes of attack/fuzzing: "individual" and "simultaneous". Each parameter is either handled as a unique entity (individual mode), and can either be attacked or left alone, or multiple parameters are attacked simultaneously (hence the name - simultaneous mode) with a given data set.
- The fuzz generation (attack strings) consists of a combination of a dictionary file, some optional dynamic large injection patterns, and some optional method specific attacks including automated XXE and WSSE attack generation.
- The tool also provides the option of using some IDS Evasion techniques which makes for a powerful security infrastructure (IDS/IPS) testing experience.
- A time measurement of each round trip between request and response is now provided to potentially aid in results analysis.
- For any given program run the generated attack vectors are saved out to an xml file. The XML file is named XXX and is located in the same directory where the results HTML file is saved. A previously generated XML file of attack vectors can be utilized instead of the dictionary/automated combo. This is for the sake of repeatability when the same vectors need to be used over and over again.