Fuzzing webservices questions

[Darkkey]

I have an additional question for you - What does your configuration during (for example wsdl/api/web apps testing) look like? How do you catch anomalies?

Originally posted by @ahpaleus in https://github.com/Darkkey/erlamsa/issues/6#issuecomment-435658036

[Darkkey]

If you're targeting webservices, possible approach could be record query using burp and put it in text file, and then:./erlamsa -o tcp://webservicehost:port query.txt. If it's a REST service or API, you could do something like this: ./erlamsa -o http://addr[:port]/path?params,POST,header1,... post_body.txt

For WSDL applications, you could capture WSDL request and supply as an input for erlamsa. You could limit the mutations to XML-only by supplying -m sgm as a command-line option.

As for catching anomalies, erlamsa is grey-box testing tool, so the only option for webservices is to monitor error log of the web application and state of the service process. To catch XXEs and reverse connections, enable logging in erlamsa using -L - option. To reduce the amount of logging, you could pass logging level via -L -,level=finding option.

[ahpaleus]

How does exactly "level=finding" work when it comes to catch XXEs/reverse connections?

[Darkkey]

How does exactly "level=finding" work when it comes to catch XXEs/reverse connections?

By default, erlamsa starts connection monitor (see README.MD), which accepts incoming connections from XXE & co. Limiting logging level from default(info) to finding, you will be able to see only messages from monitors (if any will appear).

[ahpaleus]

Thanks!