StackHawk Documentation StackHawk Logo HawkDocs
hawkscan
configuration
soap configuration

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc

SOAP API Configuration

The SOAP Protocol was designed to use XML-envelope style requests, schema definitions and published WSDL endpoints in order to describe the behaviors of an API. When provided a schema, either by published endpoint or definition file, HawkScan will generate SOAP-specific payloads while scanning.

Some key points to note about scanning a SOAP endpoint:

  • SOAP APIs respond to specific XML payloads at a predefined endpoint
  • The SOAP WSDL provides definitions for valid actions and responses available in the API
  • Fuzzing a SOAP endpoint for functional behavior is challenging due to the structure of requests
  • Standard scans typically rely on spidering, path enumeration, or brute forcing to illuminate routes
  • The schema definition file can also be provided to HawkScan as an alternative to the WSDL endpoint (.xsd)

Example SOAP API WSDL

The WSDL should be published to an available endpoint in the app (e.g. http://example.com/ws/features.wsdl). The SOAP schema definition file (.xsd) can also be provided.

A simple example showing the structure of a SOAP schema definition:

<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"> 

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="https://www.example.com/xml/school"
           targetNamespace="https://www.example.com/xml/school" elementFormDefault="qualified">

    <xs:element name="StudentDetailsRequest">
        <xs:complexType>
            <xs:sequence>
                <xs:element name="name" type="xs:string"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>

    <xs:element name="StudentDetailsResponse">
        <xs:complexType>
            <xs:sequence>
                <xs:element name="Student" type="tns:Student"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>

    <xs:complexType name="Student">
        <xs:sequence>
            <xs:element name="name" type="xs:string"/>
            <xs:element name="standard" type="xs:int"/>
            <xs:element name="address" type="xs:string"/>
        </xs:sequence>
    </xs:complexType>

</xs:schema>

</wsdl:definitions>

Using a SOAP API Spec File in HawkScan

Configure in HawkScan using the following stackhawk.yml parameters:

# in the "app" config...
app:
  # specify the relative path to an SOAP API WSDL
  # prefix the path with / to pull from the target host
  soapConf:
    path: /ws/features.wsdl # OR... 
    filePath: features.xsd

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

Privacy Policy