Wsdler

Looking for an extension to parse WSDL files while pentesting SOAP services, Wsdler extension is for you. It’s easy to use and has no dependencies.

Extension Availability Source Code Dependencies Author
Community Professional https://github.com/portswigger/wsdler - Eric Gruber

Wsdler Description

How to configure this extension

  1. Head over to BApp store under the Extender section. Click on Wsdler and click Install on the right side under the description. On successfully installing the extension, you will find a new tab in Burp Suite.

    Wsdler Tab

  2. For demonstrating the usage of the tool, I have installed CsharpVulnSoap VM from VulnHub on my local machine. The vulnerable application provides the WSDL file at /Vulnerable.asmx?wsdl endpoint.

    WSDL file

  3. In Burp Suite, right-click on the HTTP request in the Proxy history, and select Parse WSDL. If the response contains a valid WSDL file, the extension parses it and displays all the requests under the Wsdler tab.

    WSDL file parse

    You can right-click on each request under the Wsdler tab and send it to Repeater to manually play with the HTTP requests.

  4. Also, note that if the response is not a valid WSDL file, the extension errors out with the following message.

    Invalid WSDL

When to use this extension?

This extension is convenient when you are pentesting SOAP services which expose WSDL file. This extension removes the pain of loading the WSDL file in SoapUI and hitting each SOAP endpoint with Burp as a proxy.