WSFuzzer 1.9.3 released

WSFuzzer is a fuzzing penetration testing tool used against HTTP SOAP based web services. It tests numerous aspects (input validation, XML Parser, etc) of the SOAP target. It is only to be used against targets that have granted permission to be tested.


  • Pen tests an HTTP SOAP web service based on either valid WSDL, known good XML payload, or a valid endpoint & namespace.
  • It can try to intelligently detect WSDL for a given target.
  • Includes a simple TCP port scanner.
  • WSFuzzer has the ability to Fuzz methods with multiple parameters. There are 2 modes of attack/fuzzing: "individual" and "simultaneous". Each parameter is either handled as a unique entity (individual mode), and can either be attacked or left alone, or multiple parameters are attacked simultaneously (hence the name - simultaneous mode) with a given data set.
  • The fuzz generation (attack strings) consists of a combination of a dictionary file, some optional dynamic large injection patterns, and some optional method specific attacks including automated XXE and WSSE attack generation.
  • The tool also provides the option of using some IDS Evasion techniques which makes for a powerful security infrastructure (IDS/IPS) testing experience.
  • A time measurement of each round trip between request and response is now provided to potentially aid in results analysis.
  • For any given program run the generated attack vectors are saved out to an xml file. The XML file is named XXX and is located in the same directory where the results HTML file is saved. ‡ A previously generated XML file of attack vectors can be utilized instead of the dictionary/automated combo. This is for the sake of repeatability when the same vectors need to be used over and over again.

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2


Related Articles

Application Scanner