Tutorial 4 - Fuzzing Web Services

链接地址：http://www.fuzzware.net/tutorial-4-fuzzing-web-services

 

 

Tutorial 4 - Fuzzing Web Services
第4步：模糊测试WebService

 

 

Interface fuzzing, and specifically for this tutorial, Web Service fuzzing, differs from file, network or application fuzzing, in that Web Service fuzzing does not require a template or example of a Web Service method being called in order to generate test cases. Instead Fuzzware will try to automatically generate the parameters of the Web Service methods, however you can influence this generation. Another difference between Web Service fuzzing and the other types is that Fuzzware creates XSD files that follow a specific format, however rather than force people to learn that format, the majority of settings for Web Service fuzzing can be made through the UI. This format will be explained for completeness sake but this will only be relevant for those doing advanced fuzzing.

 

模糊接口，特别是本教程，Web服务的模糊测试，不同于文件、网络或应用程序的模糊测试，在这个Web服务模糊测试中，不需要Web Service方法的模板或例子，这种方法被用来生成测试用例。相反，Fuzzware将尝试自动生成Web Wervice方法的参数，但是你也可以影响这一发生。 Web服务和其他类型之间的另一个不同点是，Fuzzware创建XSD文件是遵循一种特定的格式，但不是强制人们去学习那种格式，为Web Service模糊测试设置的主要过程都可以通过用户界面来进行。这种格式将被解释为全面起见，但这只和那些高级模糊测试有关。

 

 

Fuzzware requires a WSDL file describing the services and methods exposed by the Web Service. Typically there is only one WSDL or we would fuzz only one at a time, but Fuzzware does allow you to specify more than one and internally it combines them all into one large WSDL. If the WSDL file(s) does not compile correctly an error message will be presented indicating the problem. Many Web Services have services that work with more than one protocol, so the Web Service protocol must also be chosen.

 

Fuzzware需要一个WSDL文件来描述由这个Web Service公开的服务和方法。通常只有一个WSDL或者我们在一个时间只对一个进行模糊测试，但Fuzzware确实允许您指定一个以上的模糊测试和将它们结合到一个大的WSDL中去。假如WSDL文件（S）不能正确地编译错误信息，那将提交问题声明。许多Web service提供的众多服务都是和一个以上的协议一起工作的，因此Web服务协议也必须被选择。

 

 

If the WSDL(s) compile then you will be able to add to the list of Initial Methods, trying to do so brings up a list of methods to choose from. The ability to specify an initial method is important as some Web Services require their methods to be called in a certain order e.g. login, or load methods. Any methods that aren't specifically listed in the initial methods will be called in a random order for a given testcase. It is important to point out that Fuzzware will call all the methods in the WSDL for every testcase.

 

如果WSDL编译，那么你就可以添加到初始化方法的列表中去，尝试这样做可以带来一个供选择的方法列表。能够指定一个初始方法很重要，因为有些网络服务要求他们的方法以一个特定的顺序被调用，例如登录，或加载方法。那些没有特别列在初始化方法中的方法，将被给定的测试用例进行随机调用。需要重点指出的是，为了每个测试用例，Fuzzware将调用WSDL中的所有方法。

 

 

Try adding and removing Service1.wsdl and Service2.wsdl to see how the list of available Initial Methods changes depending on the WSDLs specified. Also note that the Initial Methods are prefixed by a service name so you can distinguish which methods belong to which service.

 

尝试添加和删除Service1.wsdl和Service2.wsdl，来看看根据指定的WSDL，现有可用的初始化方法的清单是如何改变的。还要注意的是初始化方法是以service名称为前缀的，以便您可以区分哪些方法是属于哪个服务。

 

 

The last configuration section is the default method parameter values. Since Fuzzware does not use a template or example of the Web Service method calls, the parameters of the methods must be given. Rather than specify each method parameter individually, Fuzzware populates method parameters by their type, hence at the bottom of this section you can specify for example the default value of all parameters of type String. The last default parameter type is Variant, however this is not relevant for WSDL fuzzing.

 

最后配置部分是默认方法参数值。由于Fuzzware不使用Web服务方法调用的模板或例子，方法的参数必须给定。不是每个方法的参数都单独指定，Fuzzware使用参数类型来填充方法的参数，因此在这一部分的最后，举例来说，你可以使用String类型来指定所有参数的默认值。最后默认参数类型是Variant类型，不过这种类型和WSDL模糊测试不相关。

 

 

Being able to choose the default value for all parameters is fine, but often we want to give specific parameters a certain value, or groups of parameters a certain value. Below we can see how this can be achieved by adding specific rules for Fuzzware to follow when it assigns parameters their values.

 

能够为所有参数选择默认值的是好的，但往往我们希望给指定的参数或者参数组以某个特定的值。下面我们可以看到这可以通过增加遵循Fuzzware的具体规则，给参数指定值。

 

 

 

There are 4 rules to choose from:
1. Named method/parameter: From the dropdown lists choose a specific method (only those with input parameters are listed) and then choose a specific parameter and assign it a value. You can tell the type of the parameter because initially it will get the default value for that parameter type.
2. Any parameter name containing: Any parameter on any method that contains the specified string will be assigned the specified value. E.g. any parameter containing 'date' could be assigned a certain date.
3. Any parameter name starting with: Any parameter on any method that starts with the specified string will be assigned the specified value.
4. Any parameter name ending with: Any parameter on any method that ends with the specified string will be assigned the specified value.

有4个可供选择的规则：
1。命名方法/参数：从下拉列表中选择一个特定的方法（只有那些带有输入参数的才会被列出），然后选择一个特定的参数，并给它指定一个值。你可以告知参数的类型，因为最初它将获得该参数类型的默认值。
2。任何参数名称包括：对任何方法，其中包含指定字符串的任何参数都将被分配给指定值。例如：任何包含'date'的参数会被赋予一个日期。3。任何参数名称的开始：任何方法上的任何参数，以指定字符串形式开始的，将被赋予指定值。
4。任何参数名称的结束：任何方法上的任何参数，以指定字符串形式结束的，将被赋予指定值。

 

 

Note also that these rules are applied in the order given (which can be changed), so they should be ordered least specific (e.g. any parameter containing 'a') to most specific (e.g. a specific method and parameter).

 

另请注意，这些规则是按给定的顺序使用的（这个顺序可以被改变），所以他们必须被命令具体的（例如含有'a'的任何参数），成最具体的（例如，一个具体的方法和参数）。

 

 

With the input source configured, now we can configure the corresponding output destination, 'Send testcases to Web Services'

 

伴随着输入源配置，现在我们可以配置相应的输出目的地，'向Web Service发送测试用例'

 

 

 

Whilst Fuzzware does not require an example of WSDL method calls, nevertheless some web services use advanced or custom web service features that Fuzzware knows nothing about. Hence the first output destination configuration option tells Fuzzware what SOAP template file to use (the template is not an example of the Web Service we are fuzzing but instead a skeleton SOAP request that we will populate). There is a default SOAP template file that ships with Fuzzware (located in the Resources directory where Fuzzware is installed), that contains a basic template for a SOAP method request, however this can be copied and changed, all Fuzzware relies on is being able to append to the Body element of the SOAP request. Note also, that if a pre-output handler changes the template, Fuzzware will notice this and reload it from the file (it checks the modified time on the file).

 

虽然Fuzzware不需要WSDL方法调用的例子，但一些web service采用高级的或定制的Web service特征，而Fuzzware对此一无所知。因此，在第一个输出目的地配置选项，告诉Fuzzware使用什么SOAP模板文件（该模板不是我们进行Web服务模糊测试的例子，而是我们即将填充的一个骨架SOAP请求)。这边有一个默认的SOAP模板文件是与Fuzzware一起的（位于Fuzzware的安装位置的资源目录中），包含一个SOAP方法请求的基本模板，但是也可以复制和修改，所有Fuzzware依赖是能够追加到请求的SOAP Body元素。还要注意，如果预输出处理器改变了模板，Fuzzware会注意到这一点，并且从文件重新加载它（它会检查文件上的修改时间）。

 

 

 

The next configuration option is the reuse response values. Some web service methods will respond with a value that they expect to be included in subsequent requests; to accommodate for this you can specify the name of the response node to look for and Fuzzware will record its value, and if a subsequent request has a node with the same name, Fuzzware will replace its value. Fuzzware makes sure not to replace the value if the node that is currently the target of fuzzing is the node specified.

 

下一个配置选项是重复使用的响应值。一些web服务的方法将得到响应，这些响应带着他们期望能够被包含在随后的请求中的值，为了适应这个，你可以指定寻找的响应节点的名称，并且Fuzzware会记录它的价值，如果随后请求节点具有相同的名称，Fuzzware将覆盖它的值。 Fuzzware可以确保不替换值，如果该节点是指定的当前模糊测试目标。

 

 

 

The final options is the output configuration were you can choose the output directory and file extensions of any saved test cases. So how does Fuzzware decide which test cases to save? Basically Fuzzware records the response to every method request, and if that response is unique then it will record the test case. This leads to a slight problem for Web Service fuzzing because there are usually multiple responses in the one test case, but Fuzzware overcomes this by recording the test case if any of the responses are unique and noting the method which caused the unique response in the output statistics (which is why the same state is listed more than once, but each state should have a unique method appended in brackets after it).

 

最后一个选项是输出配置，您可以在选择输出目录和文件扩展来存储任何测试用例。那么Fuzzware是怎样决定哪些测试用例被保存？基本上Fuzzware会记录每一个方法请求的响应，如果这种响应唯一的，然后就会记录这个测试案例。对Web Service模糊测试而言这会导致一个小问题，因为通常在一个测试案例中会有多种响应值，但Fuzzware克服了这个问题，如果任何的答复是唯一的，那就会记录这个测试用例，并会注意到那些在输出统计中导致唯一响应的方法(这就是为什么同样的状态列出了超过一次，但每个状态应该有一个唯一的方法出现在后面的括号中）。

 

 

Advanced Configuration
Whilst the UI allows for some customisation, it does lack some convenience:
1. You cannot limit the methods that are called, all the methods of the WSDL will be called per test case.
2. The UI is not convenient if we need to specify a large number of default values for method parameters.

 

高级配置
虽然用户界面允许一些定制，但它缺少一些便利：
1。你不能限制被调用的方法，在每个测试用例中，WSDL的所有方法将被调用。
2。假如我们需要为方法的参数指定一大堆默认值时，这种用户界面并不方便。

 

 

To overcome these limitations it is best to run your WSDL project in Test Mode and look at the output files in the project directory. Fuzzware creates XSD files containing the definitions of all the types in the WSDL and of the methods of the WSDL. Fuzzware also creates an XML file containing the methods it will call and the order in which it will call them. The key point about the files that Fuzzware generates is that if you run Fuzzware again, it will not overwrite these files if they are already exist, but will load these files and reuse them, hence they can be manually editted.

 

为了克服这些限制，最好是将你的WSDL项目运行在测试模式，并接受将输出文件放在项目目录中。 Fuzzware创建XSD文件，这些文件中包含了WSDL中所有类型的定义和WSDL的方法。 Fuzzware还创建了一个XML文件，其中包含了它将调用的方法和它将以何次序调用它们。Fuzzware产生这些文件的关键一点是，如果你再次运行Fuzzware，如果这些文件已经存在，它不会覆盖它们，而是会加载和重用他们，因此它们可以被手动编辑。

 

 

So both the above limitations can be solved by editing the XML directly; you can remove methods that you do not want to call and you can directly specify method parameter values in the XML. The format of the XML is very straight-forward with a root node that contains the SOAP Body method XML that will populate the SOAP template (specified in the output destination configuration), the only difference is the method names are pre-pended with the service name (so multiple services with methods of the same name can be distinguished). Note also that the XSD files can also be altered if Fuzzware has any issues with the types being used.

 

因此上述限制都可以通过直接编辑XML来解决；在这个XML文件中，你可以删除那些你不想调用的方法，并且你可以直接指定方法的参数值。XML格式非常直接了当，就是包含了SOAP主体方法XML的根节点，这个XML将填充进SOAP模板（在输出目的地的配置中来指定），唯一的区别是方法名称是以service名称为前缀的（所以多个带有相同方法名称的service也能够被区分开）。还要注意的是XSD文件也可以改变，如果Fuzzware在正在使用类型上有任何问题。