Category:OWASP WSFuzzer Project

Overview
WSFuzzer is a GPL'd program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work. This tool is NOT meant to be a replacement for solid manual human analysis. Please view WSFuzzer as a tool to augment analysis performed by competent and knowledgable professionals. Web Services are not trivial in nature so expertise in this area is a must for proper pen testing.

Goals
It is not the goal of WSFuzzer to replace human analysis. AAMOF WSFuzzer does not currently do any analysis of the results gathered. The job of analysis is left to the analyst/engineer running a given pen test.

This tool is meant to augment a pen testers job in respect to SOAP services and the intent is to automate some of the more intense fuzzing processes that would be quite time consuming if performed manually. Hence the main goal is to be part of a solid pen testing toolkit.

Check out a video of WSFuzzer in action @ http://www.neurofuzz.com/modules/software/vidz.php

Download
Get the tarball from sourceforge: http://sourceforge.net/project/showfiles.php?group_id=155697

Features
‡ Pen tests an HTTP SOAP web service based on either valid WSDL, known good XML payload, or a valid endpoint & namespace. ‡ It can try to intelligently detect WSDL for a given target. ‡ Includes a simple TCP port scanner. ‡ WSFuzzer has the ability to Fuzz methods with multiple parameters. There are 2 modes of attack/fuzzing: "individual" and "simultaneous". Each parameter is either handled as a unique entity (individual mode), and can either be attacked or left alone, or multiple parameters are attacked simultaneously (hence the name - simultaneous mode) with a given data set. ‡ The fuzz generation (attack strings) consists of a combination of a dictionary file, some optional dynamic large injection patterns, and some optional method specific attacks including automated XXE and WSSE attack generation. ‡ The tool also provides the option of using some IDS Evasion techniques which makes for a powerful security infrastructure (IDS/IPS) testing experience.

Command line usage
Usage: python WSFuzzer.py [-w wsdl_url |  -e endpoint -n namespace  |  --xml  |  -h host  | --bauser username --bapass password |  --keyfile keyfile --certfile certfile ]

-w WSDL_URL -- A FQDN WSDL URL - i.e. http://host/service/service.asmx?wsdl Example: python WSFuzzer.py -w http://host/service/service.asmx?wsdl

-e endpoint -n namespace -- -e and -n are used together -e is the web service endpoint -- i.e. WSDL URL -n is the web service namespace -- i.e. URI When using -e and -n you will have to manually establish the method to be attacked Example: python WSFuzzer.py -e "http://host/service/service.asmx" -n "urn:querySOAP" --xml --- A text file of the XML payload to be used against the target -h host -- A URL of the target host. This option will do some digging into the target URL, it will scrape for anything WSDL or DISCO related and construct a list of verified WSDL URL's Example: python WSFuzzer.py -h http://host --bauser username --bapass password --- these 2 optional arguments are used together whenever HTTP Basic Auth needs to be used --bauser is a Basic Auth username --bapass is a Basic Auth password to be used with the "bauser" username --keyfile keyfile --certfile certfile --- these 2 optional arguments are used together whenever client-side certs need to be used --keyfile is the PEM formatted file that contains the respective private key to be used --certfile is the PEM formatted file that contains the X.509 certificate to be used with the "keyfile"

Here are examples of different types of runs:


 * 1) python WSFuzzer -w http://target/service/service.asmx?wsdl
 * 2) python WSFuzzer -e http://target/service/service.asmx -n urn:service
 * 3) python WSFuzzer --xml file.xml
 * 4) python WSFuzzer -h http://target

Upon completion of a run the current output is based on a directory the prog will create. That dir is created within the root dir where the program is installed and run from. By default the pattern for dir creation is based on the string FuzzingResults-N. N is dynamically calculated based on existing directories fitting the pattern. So if you run the prog from "/opt/WSFuzzer" for instance you will end up with something like:


 * 1) /opt/WSFuzzer/FuzzingResults-0
 * 2) /opt/WSFuzzer/FuzzingResults-1
 * 3) /opt/WSFuzzer/FuzzingResults-N
 * 1) /opt/WSFuzzer/FuzzingResults-N

In each one of these directories there will be an index.html file and a dir called HeaderData.

index.html will give you an overview of the results as such:

Method 	Request Params 	       IDS evasion 	                Response 	Http Info 	Round Trip xpath 	{'parameters': '%00'} 	/WSDIGGeR_WS/WSDiggER_WS.AsMX 	Soap Fault 	HTTP Log 	276.2158 M xpath 	{'parameters': 'TRUE'} 	/WSDIggER_WS/WSDIgGer_WS.AsMx 	Soap Fault 	HTTP Log 	2.88 S

In the HeaderData dir you will find files that hold a Request / Response pair for each of the attacks sent to the target. One file has one Request and one Response. In some cases there will be no response if the attack Request caused some sort of crash on the server (500 status response, etc). Each one of the links in the Http Info column will provide you a path into the respective file as per the rest of the data in that row.

In reference to the "Round Trip" values:

* M = milliseconds * S = seconds

This is a snippet from a run using the Static XML option (--xml). python2.4 WSFuzzer.py --xml xpath.xml

Running WSFuzzer 1.9, the latest version

Local "All_attack.txt" data matches that on neurofuzz.com

Local "dirs.txt" data matches that on neurofuzz.com

Local "filetypes.txt" data matches that on neurofuzz.com

If you would like to establish the directory name for the results then type it in now (leave blank for the default): xmltest Since you are using the static XML feature we need some data from you...

Host to attack (i.e. sec.neurofuzz.com): 192.168.1.207

URI to attack (i.e. /axis/EchoHeaders.jws): /WSDigger_WS/WSDigger_WS.asmx Unless some serious masking/spoofing is in place, it seems you are targeting a .Net host so you will need to use a SOAPAction header ...

Enter the SOAPAction value: http://foundstone.com/Stringproc/xpath

Method: xpath Param discovered: query, of type: xsi:string Simultaneous Mode activated

Input name of Fuzzing dictionary(full path): attack.txt

Dictionary Chosen: attack.txt

Would you like to enable automated fuzzing to augment what you have already chosen? This option generates a lot of traffic, mostly with a bad attitude &-> Answer: n Parameter: query

Would you like to fuzz this param: y Fuzzing this param adding parameter

Would you like to enable IDS evasion(y/n)? Answer: n Not using IDS evasion

Shall I begin Fuzzing(y/n)? Answer: y

Commencing the fuzz .... Starting to fuzz method (xpath)

Generated 4 parameter based Attack Strings ...

Fuzzing completed for method (xpath)

The following represents an example of the payload contained as the content of the xml file passed in via the --xml switch. In reference to the example above, the file xpath.xml has the following as its contents:     WHATEVER  


 * This option (--xml) is ideal for the use of WSFuzzer when targeting .Net services/hosts. In order to use this option successfully you need to know/have the following in reference to your target:
 * 1) A valid XML payload. All you need to do is use whatever method you'd like to generate a valid payload based on your target. As a pen tester this is usually no problem since you are working closely with the target's developers/engineers.
 * 2) Proper host data in the form of host.domain or an IP address, i.e. sec.neurofuzz.com or 192.168.1.207
 * 3) Proper resource data (URI), i.e. /WSDigger_WS/WSDigger_WS.asmx
 * 4) If you are targeting a .Net service you will also need to know the value for a valid SOAPAction HTTP header, this could be the name of the method or a FQDN - it totally depends on how the target services were built. For instance in the example above the SOAPAction value is: http://foundstone.com/Stringproc/xpath

Here is a snippet from a run utlizing individual mode and no IDS Evasion: WSFuzzer.py -w http://jboss_target.example.com/ws4ee/services/LoginService?wsdl

Running WSFuzzer 1.9, the latest version

Local "All_attack.txt" data matches that on neurofuzz.com

Local "dirs.txt" data matches that on neurofuzz.com

Local "filetypes.txt" data matches that on neurofuzz.com

WSDL Discovered (http://jboss_target.example.com/ws4ee/services/LoginService?wsdl) If you would like to establish the directory name for the results then type it in now (leave blank for the default): mytest

Method(0): authenticateUser Params: in0(string) in1(string) in2(string)

Method(1): setToken Params: in0(string)

Select the methods you want to Fuzz(ex: 0,1,2,3 or A for All) Methods: 0

Would you like to attack all the chosen params simultaneously? n

Method: authenticateUser Parameter: in0 Type: string

Choose fuzz type(ex. 1) 0) Do not fuzz this parameter 1) Dictionary (One entry per line) FuzzType: 1

Fuzzing using dictionary Input name of dictionary(full path): attack1.txt Dictionary Chosen: attack1.txt

Would you like to enable automated fuzzing to augment what you have already chosen? This option generates a lot of traffic, mostly with a bad attitude &-> Answer: y

adding parameter Parameter: in1 Type: string

Choose fuzz type(ex. 1) 0) Do not fuzz this parameter 1) Dictionary (One entry per line) FuzzType: 0

Not fuzzing this param adding parameter Parameter: in2 Type: string

Choose fuzz type(ex. 1) 0) Do not fuzz this parameter 1) Dictionary (One entry per line) FuzzType: 1

Fuzzing using dictionary Input name of dictionary(full path): attack2.txt Dictionary Chosen: attack2.txt

Would you like to enable automated fuzzing to augment what you have already chosen? This option generates a lot of traffic, mostly with a bad attitude &-> Answer: n

Method: authenticateUser Parameter: in0 Type: string

Would you like to fuzz this param: y Fuzzing this param adding parameter Parameter: in1 Type: string

Would you like to fuzz this param: y Fuzzing this param adding parameter Parameter: in2 Type: string

Would you like to fuzz this param: y Fuzzing this param adding parameter

Would you like to enable IDS evasion(y/n)? Answer: n Not using IDS evasion

Shall I begin Fuzzing(y/n)? Answer: y Commencing the fuzz ....

starting fuzzing method (authenticateUser)

Generated 6101 Attack Strings ...

<<< Baseline XML Payload with Random data val's >>>

    xdeiykUzTnXTlFPrEiyJvAszywDojsxbAQNDxVnysdjJrQKCYqGsrNeTQaHWfAZIuhcrohfygMilBDCTCJRGvplQi suDtTvYwFdbJxDSuvgnnUhzzXbsFrLQuTKfPPNTejarrVATMXUqD gGdVVAKWMmARMSBBlZhQdnBHzVVHGfgHwUoxFItflzKaTbxMNppRtWevzQxCJcXhdF </authenticateUser> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>

Fuzzing completed for method (authenticateUser)

And here is a snippet from the results output of the run above: Method 	Request Params 	IDS Evasion 	Response 	Http Info 	Round Trip authenticateUser 	{'in0': '/*', 'in1': None, 'in2': None} 	None 	0 	HTTP Log 	276.2158 M authenticateUser 	{'in0': '\\00', 'in1': None, 'in2': None} 	None 	0 	HTTP Log 	2.88 S

Here is a snippet from a run utlizing simultaneous mode and no IDS Evasion:

WSFuzzer.py -w http://jboss_target.example.com/ws4ee/services/LoginService?wsdl

Running WSFuzzer 1.9, the latest version

Local "All_attack.txt" data matches that on neurofuzz.com

Local "dirs.txt" data matches that on neurofuzz.com

Local "filetypes.txt" data matches that on neurofuzz.com

WSDL Discovered (http://jboss_target.example.com/ws4ee/services/LoginService?wsdl) If you would like to establish the directory name for the results then type it in now (leave blank for the default): mytest

Method(0): authenticateUser Params: in0(string) in1(string) in2(string)

Method(1): setToken Params: in0(string)

Select the methods you want to Fuzz(ex: 0,1,2,3 or A for All) Methods: 0

Would you like to attack all the chosen params simultaneously? y Input name of Fuzzing dictionary(full path): attack3.txt

Dictionary Chosen: attack3.txt

Would you like to enable automated fuzzing to augment what you have already chosen? This option generates a lot of traffic, mostly with a bad attitude &->

Answer: n

Method: authenticateUser Parameter: in0 Type: string Would you like to fuzz this param: y Fuzzing using dictionary adding parameter

Method: authenticateUser Parameter: in1 Type: string Would you like to fuzz this param: y Fuzzing using dictionary adding parameter

Method: authenticateUser Parameter: in2 Type: string Would you like to fuzz this param: y Fuzzing using dictionary adding parameter

Would you like to enable IDS evasion(y/n)? Answer: n Not using IDS evasion

Shall I begin Fuzzing(y/n)? Answer: y

Commencing the fuzz ....

starting fuzzing method (authenticateUser)

<<< Baseline XML Payload with Random data val's >>>

<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" > <SOAP-ENV:Body> <authenticateUser SOAP-ENC:root="1"> <v1 xsi:type="xsd:string">xdeiykUzTnXTlFPrEiyJvAszywDojsxbAQNDxVnysdjJrQKCYqGsrNeTQaHWfAZIuhcrohfygMilBDCTCJRGvplQi</v1> <v2 xsi:type="xsd:string">suDtTvYwFdbJxDSuvgnnUhzzXbsFrLQuTKfPPNTejarrVATMXUqD</v2> gGdVVAKWMmARMSBBlZhQdnBHzVVHGfgHwUoxFItflzKaTbxMNppRtWevzQxCJcXhdF</v3> </authenticateUser> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>

Fuzzing completed for method (authenticateUser)

And here is a snippet from the results output of the run above: Method 	Request Params 	IDS Evasion 	Response 	Http Info 	Round Trip authenticateUser 	{'in0': '/*', 'in1': '/*', 'in2': '/*'} 	None 	0 	HTTP Log 	2.88 S authenticateUser 	{'in0': '\\00', 'in1': '\\00', 'in2': '\\00'} 	None 	0 	HTTP Log 	276.2158 M

Now here is a run utilizing one of the IDS Evasion techniques:

Running WSFuzzer 1.9

If you would like to establish the directory name for the results then type it in now (leave blank for the default): mytest

0) Basic Discovery (faster but less accurate) 1) Advanced Discovery (slower and more intrusive but more thorough and accurate) 2) Advanced Discovery (like #1) with port scanning first

Probe Type: 2

Beginning TCP port for scan: 1

Ending TCP port for scan: 9090

Open TCP ports discovered for target localhost: [0] 80 [0] 8080 [0] 8088

Pick one via numeric index (i.e. 1 for [1]): 0

Would you like to Spider the target on top of the advanced probe: y Checking 10077696 maximum number of dir combo's based on a depth of 7

Discovered WSDL links: 0 => http://jboss_target.example.com/ws4ee/services/ERSService?wsdl 1 => http://jboss_target.example.com/ws4ee/services/AuditService?wsdl 2 => http://jboss_target.example.com/ws4ee/services/SyncService?wsdl 3 => http://jboss_target.example.com/ws4ee/services/ThumbnailService?wsdl 4 => http://jboss_target.example.com/ws4ee/services/OfficeDataService?wsdl 5 => http://jboss_target.example.com/ws4ee/services/TestService?wsdl 6 => http://jboss_target.example.com/ws4ee/services/LogsService?wsdl 7 => http://jboss_target.example.com/ws4ee/services/LoginService?wsdl 8 => http://jboss_target.example.com/ws4ee/services/AdminService?wsdl 9 => http://jboss_target.example.com/ws4ee/services/VersionService?wsdl 10 => http://jboss_target.example.com/ws4ee/services/UserService?wsdl 11 => http://jboss_target.example.com/ws4ee/services/IKSService?wsdl 12 => http://jboss_target.example.com/ws4ee/services/ExcelService?wsdl 13 => http://jboss_target.example.com/ws4ee/services/AdminService2?wsdl 14 => http://jboss_target.example.com/ws4ee/services/DirService?wsdl

Please choose ONE link, via numeric index, from the above list 7

Method(0): authenticateUser Params: in0(string) in1(string) in2(string)

Method(1): setToken Params: in0(string)

Select the methods you want to Fuzz(ex: 0,1,2,3 or A for All) Methods: 0

Would you like to attack all the chosen params simultaneously? n

Method: authenticateUser Parameter: in0 Type: string

Choose fuzz type(ex. 1) 0) Do not fuzz this parameter 1) Dictionary (One entry per line) FuzzType: 1

Fuzzing using dictionary Input name of dictionary(full path): attack1.txt Dictionary Chosen: attack1.txt

Would you like to enable automated fuzzing to augment what you have already chosen? This option generates a lot of traffic, mostly with a bad attitude &-> Answer: y

adding parameter Parameter: in1 Type: string

Choose fuzz type(ex. 1) 0) Do not fuzz this parameter 1) Dictionary (One entry per line) FuzzType: 0

Not fuzzing this param adding parameter Parameter: in2 Type: string

Choose fuzz type(ex. 1) 0) Do not fuzz this parameter 1) Dictionary (One entry per line) FuzzType: 1

Fuzzing using dictionary Input name of dictionary(full path): attack2.txt Dictionary Chosen: attack2.txt

Would you like to enable automated fuzzing to augment what you have already chosen? This option generates a lot of traffic, mostly with a bad attitude &-> Answer: n

adding parameter

Would you like to enable IDS evasion(y/n)? Answer: y Choose an option for IDS Evasion. 0) null method processing - ** Windows targets only 1) random URI (non-UTF8) encoding 2) directory self-reference (/./) 3) premature URL ending 4) prepend long random string 5) fake parameter 6) TAB as request spacer 7) random case sensitivity - ** Windows targets only 8) directory separator (\) - ** Windows targets only 10) URI (non-UTF8) encoding R) choose an option at random Option: 1

Shall I begin Fuzzing(y/n)? Answer: y

Commencing the fuzz .... starting fuzzing method (authenticateUser)

Generated 6101 Attack Strings ...

<<< Baseline XML Payload with Random data val's >>>

<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" > <SOAP-ENV:Body> <authenticateUser SOAP-ENC:root="1"> <v1 xsi:type="xsd:string">xdeiykUzTnXTlFPrEiyJvAszywDojsxbAQNDxVnysdjJrQKCYqGsrNeTQaHWfAZIuhcrohfygMilBDCTCJRGvplQi</v1> <v2 xsi:type="xsd:string">suDtTvYwFdbJxDSuvgnnUhzzXbsFrLQuTKfPPNTejarrVATMXUqD</v2> gGdVVAKWMmARMSBBlZhQdnBHzVVHGfgHwUoxFItflzKaTbxMNppRtWevzQxCJcXhdF</v3> </authenticateUser> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>

Fuzzing completed for method (authenticateUser)

And here is a snippet from the results output of the run above: Method 	Request Params 	IDS Evasion 	Response 	Http Info 	Round Trip authenticateUser 	{'in0': '/*', 'in1': None, 'in2': None} 	/L%75g%68%53e%72vic%65/%41o%74hS%65%72vic%65S%65rv%69%63%65 	0 	HTTP Log 	276.2150 M authenticateUser 	{'in0': '\\00', 'in1': None, 'in2': None} 	/L%75%74i%53%65%72v%69%63%65/%41o%74%68Servi%63%65%53%65rv%69%63e 	0 	HTTP Log 	2.88 S

IDS Evasion info

The following options are currently available for purposes of IDS Evasion:

0) null method processing - ** Windows targets only 1) random URI (non-UTF8) encoding 2) directory self-reference (/./) 3) premature URL ending 4) prepend long random string 5) fake parameter 6) TAB as request spacer 7) random case sensitivity - ** Windows targets only 8) directory separator (\) - ** Windows targets only 10) URI (non-UTF8) encoding 11) double percent hex encoding - ** Windows targets only 12) double nibble hex encoding - ** Windows targets only 13) first nibble hex encoding - ** Windows targets only 14) second nibble hex encoding - ** Windows targets only R) choose an option at random

Working with the following target URI: "/WSDigger_WS/WSDigger_WS.asmx" here is an idea of what the URI data would look like when in use for the HTTP POST's:

* null method processing: %00%20/WSDigger_WS/WSDigger_WS.asmx

* random URI (non-UTF8): /%57SDi%67g%65r%5fW%53/%57%53D%69gge%72_%57%53.asm%78

* directory self-reference (/./): /./WSDigger_WS/./WSDigger_WS.asmx

* premature URL ending: /%20HTTP/1.1%0D%0A%0D%0AAccept%3A%20PTdOoYWl2A/../../WSDigger_WS/WSDigger_WS.asmx

* prepend long random string: /UCD8SiuHKgBhOrUmmdRtn15khQD17fWScHMz6Wa3x65ihPOzBPCkj2M3e4Lr0lwAYgx0zrDAh7ZOUlAqE1vHpqvIFKj2hHQjUS4VdyUyOewrIDnEsaX5 WrpOYIphWuzZIT3J1nezbYxjwvg0R5u6QVbBJFiafkY2t5mIPexZd9Zwq9f9Nu3lHRJzRauoDP2VpewGimw9TVrcynp0NJFCEefV6ETCMbhdn9fUPC3dYN8 MyubOeLQqOMWDKI4y35prsntMfGX2WWbRFii912f75zVuaYDOR5CxVopXT6bU7eDbCea8YSAZAWxdt0kuGtEmFbH46WXl6cInovsY3nLmTgZ77XX 4JncWWatypv34az9iuMmr0GqyCgOuxLIW0600zGhTlAuZYf3I6rs0Lm4NHaEmLi7ZNdPywNV0IUs2Wwlu2EsbHcTXnNbZ00Za2ixKuIJGqVKTrgS7LhfP5e 16rR2D9mvBWkxVXIHhj30iniGoHhRl1XPs2mnO0ROb6CS0Xy3Nquzv/../WSDigger_WS/WSDigger_WS.asmx

* fake parameter: /eLCk3rV3v1.html%3fyW0TziI2SP=/..//WSDigger_WS/WSDigger_WS.asmx

* TAB as request spacer: /WSDigger_WS/WSDigger_WS.asmx

* random case sensitivity: /WSDiggER_WS/WSDIgGER_WS.AsmX

* directory separator (\): /WSDigger_WS\WSDigger_WS.asmx

* URI (non-UTF8): /%57%53%44%69%67%67%65%72%5f%57%53/%57%53%44%69%67%67%65%72%5f%57%53%2e%61%73%6d%78

* double percent hex encoding: /%2557%2553%2544%2569%2567%2567%2565%2572%255f%2557%2553/%2557%2553%2544%2569%2567%2567%2565%2572%255f%2557%2553 %252e%2561%2573%256d%2578

* double nibble hex encoding: /%%35%37%%35%33%%34%34%%36%39%%36%37%%36%37%%36%35%%37%32%%35%66%%35%37%%35%33/%%35%37%%35%33%%34%34 %%36%39%%36%37%%36%37%%36%35%%37%32%%35%66%%35%37%%35%33%%32%65%%36%31%%37%33%%36%64%%37%38

* first nibble hex encoding: /%%357%%353%%344%%369%%367%%367%%365%%372%%35f%%357%%353/%%357%%353%%344%%369%%367%%367%%365%%372%%35f %%357%%353%%32e%%361%%373%%36d%%378

* second nibble hex encoding: /%5%37%5%33%4%34%6%39%6%37%6%37%6%35%7%32%5%66%5%37%5%33/%5%37%5%33%4%34%6%39%6%37%6%37%6%35%7%32%5%66 %5%37%5%33%2%65%6%31%7%33%6%64%7%38

Future Development
‡ More types of dynamic and intelligent XML content based attacks ‡ Exposing the functionality as a service (most likely via SOAP) ‡ Further development of attack vectors for: o	WS-Security o	SAML o	XML Security (Digital Signatures, XML Encryption, etc) ‡ Different results output formats (possibly AVDL, NBE, etc)

News
''' OWASP WSFuzzer Project Created! - 10:36, 23 October 2006 (EDT)'''

The Open Web Application Security Project is proud to announce the creation of the OWASP WSFuzzer Project!

Feedback and Participation
We hope you find the OWASP WSFuzzer Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP WSFuzzer Project mailing list or view the archives, please visit the subscription page.

WSFuzzer is a labor of love that is intended to benefit all of us in this application security field. It is entirely open source and to keep this tool as a useful player in a pen testers toolkit the project can use help in the areas of:

* Python coding * regular testing of the tool * web services security expertise

If one person has even 2 of these 3 qualifications then that person would be an ideal addition to this project. If you are interested drop a note to wsfuzzer [at] neurofuzz dot com.

Project Contributors
WSFuzzer is managed by Andres Andreu <andres [at] neurofuzz dot com>

Project Sponsors
TBD