jurajsomorovsky
commented
9 years ago This is unfortunately not supported by WS-Attacker. It works currently only with WSDL files. If you want to use a different URL, you have two possibilities:
First, you can take a dummy WSDL file and exchange the service address location in this file. This will force WS-Attacker to send the content to that address. This solution is however not enough, if you want to encode/decode the XML content before sending it.
Second, you can write your own application based on the Wrapping library. In the test suites, you have many examples how to execute a signature wrapping attack, so your need is just to use it in a simple HTTP client and communicate with your service.
There is also a possibility to use a proxy to encode/decode the content (e.g., Burp Suite). The proxy configuration will be added in the next WS-Attacker release.
Regarding, the message...this is just a simple notice that your XML message provided during the "Test Request" execution must include an XML Signature with a validly signed payload. Otherwise, you cannot execute any Signature Wrapping attacks, if there is no XML Signature. (please note that the Test Request message initializes the XML Signature plugin, thus the Test Request message must include an XML Signature)
Is there a way to use the Signature Wrapping plugin on a URL that does not have a WSDL for download? This will be true of many endpoints that accept signed xml, e.g. SAML, but are not SOAP services.
The current message says "At least one signed part needs some valid XML payload, otherwise the plugin is not configured." and if I am understanding correctly, this is only resolved in the WSDL loader pane.