Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hints about Java usage and WSDL import #32

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Hints about Java usage and WSDL import #32

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4121a11
Hints about Java usage and WSDL import
psytester Sep 29, 2021
d6ca108
Java 7 & 8 only due to current ClassLoader usage
psytester Sep 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@ In the current version, WS-Attacker supports the following attacks:
The first option to obtain a WS-Attacker jar file is from the sourceforge website: https://sourceforge.net/projects/ws-attacker/files/

The second option is to build it directly from the Github sources. For this purpose, you need:
- Java 7 or higher
- Java 7 or 8
- maven
- git

Hint: With Java 9+ it will not work at runtime due to removed class loader URLClassLoader()

You procede as follows. You first need to clone WS-Attacker sources (you can of course also download a ZIP file):

```bash
Expand All @@ -36,16 +38,29 @@ $ cd WS-Attacker
$ mvn clean package -DskipTests
```

Afterwards, you are able to go to the runnable directory and execute WS-Attacker:
Afterwards, you are able to go to the runnable directory and execute WS-Attacker (with Java 7 or 8):

```bash
$ cd runnable
$ java -jar WS-Attacker-1.9-SNAPSHOT.jar
```

Hint: With Java 9+ the plugins are not loaded anymore due to removed class loader URLClassLoader()<br>
With Java 11+ it would not start due to removed Java EE modules (JAX-WS, JAXB, ...)

## WS-Attacker Usage

If WSDL web services discovery is not possible (e.g. due to hardening) but you have the WSDL file locally (and the corresponding XSD file), you can import them as follows.<br>
On Windows copy all to `C:/Users/User/workspace/`

Now in the tab "WSDL Loader" enter `file:///C:/Users/User/workspace/Service.wsdl` and press the Load button

Hint: Check the WSDL file for an XSD import if they are relative or directly loaded.<br>
Change:<br>
`<xsd:import namespace="https://....." schemaLocation="https://domain/path/ServiceTypes.xsd" />`
into locally import, relative to the WSDL location:<br>
`<xsd:import namespace="https://....." schemaLocation="ServiceTypes.xsd" />`

You can find the latest documentation on XML Signature Wrapping and DoS attacks here:
https://sourceforge.net/projects/ws-attacker/files/WS-Attacker%201.3/Documentation-v1.3.pdf/download

Expand Down