Closed Darkkey closed 5 years ago
If you're targeting webservices, possible approach could be record query using burp and put it in text file, and then:./erlamsa -o tcp://webservicehost:port query.txt
. If it's a REST service or API, you could do something like this:
./erlamsa -o http://addr[:port]/path?params,POST,header1,... post_body.txt
For WSDL applications, you could capture WSDL request and supply as an input for erlamsa. You could limit the mutations to XML-only by supplying -m sgm
as a command-line option.
As for catching anomalies, erlamsa is grey-box testing tool, so the only option for webservices is to monitor error log of the web application and state of the service process. To catch XXEs and reverse connections, enable logging in erlamsa using -L -
option. To reduce the amount of logging, you could pass logging level via -L -,level=finding
option.
How does exactly "level=finding"
work when it comes to catch XXEs/reverse connections?
How does exactly
"level=finding"
work when it comes to catch XXEs/reverse connections?
By default, erlamsa starts connection monitor (see README.MD), which accepts incoming connections from XXE & co. Limiting logging level from default(info) to finding, you will be able to see only messages from monitors (if any will appear).
Thanks!
Originally posted by @ahpaleus in https://github.com/Darkkey/erlamsa/issues/6#issuecomment-435658036