yeah.. we wrote againt ws-attacker for analyze & studying; Big Data, XML SOAPAction, Mobile Service and Data Compression in Network Services on Mobile App Server/Front-End and Java Web Application.
Latest Changelog v1.8:
+ New Compression DoS Attack based on In the Compression Hornet’s Nest: A Security Study of Data Compression in Network Services”
+ removed .travis script (using default mvn command)
WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum (http://nds.rub.de/ ) and the Hackmanit GmbH (http://hackmanit.de/ ).
The basic idea behind WS-Attacker is to provide a functionality to load WSDL files and send SOAP messages to the Web Service endpoints (which is executed using the underlying SoapUI framework). This functionality can be extended using various plugins and libraries to build specific Web Services attacks.
– Java 7 or higher
+ New Adaptive and Intelligent Denial-of-Service Attacks (AdIDoS) The following DoS attacks can be chosen and configured individually:
— XML Element Count
— XML Attribute Count
— XML Entity Expansion
— XML External Entity
— Hash Collision
— XML Overlong Names
+ Automatic XML Encryption Attacks against Web Services
+ Automatic XML Signature Wrapping attack against Web Services
+ XML-Denial-of-Service Techniques against Web Services
+ SOAPAction Spoofing and WS-Addressing Spoofing
+ Further Attacks in Development (even apart from Web Services)
+ WS-Addressing spoofing
+ XML Encryption attacks Currently supported techniques:
— Attack on CBC Ciphertexts.
— Attack on RSA-PKCS#1 Ciphertexts using direct error messages.
— Attack on RSA-PKCS#1 Ciphertexts using a CBC weakness.
Usage & Download:
git clone https://github.com/RUB-NDS/WS-Attacker.git && cd WS-Attacker
mvn clean package -DskipTests
java -jar WS-Attacker-1.8-SNAPSHOT.jar