AnsweredAssumed Answered

WAS Authetication on Web services (WSDL/SOAP)

Question asked by D3al on Apr 29, 2014
Latest reply on Apr 30, 2014 by fmc

Greetings,

 

Im trying to do a internal scan on a Corporate Web Application using WAS but Im unable to get authentication to work.

 

The application is based on Web Services.

 

First I tried to do a Selenium script, but Selenium doesnt save the login parameters.

 

The main page is something like this:

 

http://webapp.com/presentation/home.html

 

The page is developed on Flash, cant see the source code so with Burp I saw that the app do the following:

 

1. Call to a config file located on

 

(GET) http://webapp.com/SecurityWS/SecurityService.asmx?WSDL

 

(POST) http://webapp.com/EWServices/

 

<SOAP-ENV:Body>

    <tns:rolesUser xmlns:tns="http://webapp.com/EWServices/">

      <tns:xmlIn>&lt;request&gt;&lt;username&gt;***********I&lt;/username&gt;&lt;password&gt;************&lt;/password&gt;&lt;servidor&gt;webapp.com&lt;/servidor&gt;&lt;modulo&gt;123&lt;/modulo&gt;&lt;oficina&gt;1&lt;/oficina&gt;&lt;pcname&gt;notdefined&lt;/pcname&gt;&lt;ip&gt;X.X.X.X&lt;/ip&gt;&lt;/request&gt;</tns:xmlIn>

    </tns:rolesUser>

 

If I put the WAS Scan (discover/vulnerability) since the root (http://webapp.com), with a custom authentication fields the result is that the authentication was not used.

 

If I put the WAS Scan (diuscover/vulnerability) since the ".asmx", only do a scan for that URL.

 

The body of WebApp application is over another path. I can do a selenium script navigating on the operational layer but without authentication.

 

Please yout help with this.

Outcomes