Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hints about Java usage and WSDL import #32

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@ In the current version, WS-Attacker supports the following attacks:
The first option to obtain a WS-Attacker jar file is from the sourceforge website: https://sourceforge.net/projects/ws-attacker/files/

The second option is to build it directly from the Github sources. For this purpose, you need:
- Java 7 or higher
- Java 7 or 8
- maven
- git

Hint: With Java 9+ it will not work at runtime due to removed class loader URLClassLoader()

You procede as follows. You first need to clone WS-Attacker sources (you can of course also download a ZIP file):

```bash
Expand All @@ -36,16 +38,29 @@ $ cd WS-Attacker
$ mvn clean package -DskipTests
```

Afterwards, you are able to go to the runnable directory and execute WS-Attacker:
Afterwards, you are able to go to the runnable directory and execute WS-Attacker (with Java 7 or 8):

```bash
$ cd runnable
$ java -jar WS-Attacker-1.9-SNAPSHOT.jar
```

Hint: With Java 9+ the plugins are not loaded anymore due to removed class loader URLClassLoader()<br>
With Java 11+ it would not start due to removed Java EE modules (JAX-WS, JAXB, ...)

## WS-Attacker Usage

If WSDL web services discovery is not possible (e.g. due to hardening) but you have the WSDL file locally (and the corresponding XSD file), you can import them as follows.<br>
On Windows copy all to `C:/Users/User/workspace/`

Now in the tab "WSDL Loader" enter `file:///C:/Users/User/workspace/Service.wsdl` and press the Load button

Hint: Check the WSDL file for an XSD import if they are relative or directly loaded.<br>
Change:<br>
`<xsd:import namespace="https://....." schemaLocation="https://domain/path/ServiceTypes.xsd" />`
into locally import, relative to the WSDL location:<br>
`<xsd:import namespace="https://....." schemaLocation="ServiceTypes.xsd" />`

You can find the latest documentation on XML Signature Wrapping and DoS attacks here:
https://sourceforge.net/projects/ws-attacker/files/WS-Attacker%201.3/Documentation-v1.3.pdf/download

Expand Down