Skip to content

Instantly share code, notes, and snippets.



Last active Oct 5, 2019
What would you like to do?
Simple dirty script to fuzz a SOAP request using the BURP Sniper approach using Windows authentication.
# Simple dirty script to fuzz a SOAP request using the Burp Sniper approach:
# See
# Dependencies:
# pip install lxml requests_ntlm requests tabulate tqdm
import requests
import urllib3
from requests_ntlm import HttpNtlmAuth
from lxml import etree as ET
from tabulate import tabulate
from hashlib import sha1
from tqdm import tqdm
def generate_payloads_set(soapReqStr,injectionPayload):
# Burp Sniper approach
payloads= []
root = ET.fromstring(soapReqStr)
for i in range(0,placeholder_count):
root = ET.fromstring(soapReqStr)
nodes = root.xpath("//text()")
if nodes[i] != None and len(nodes[i].strip("\n\r\t ")) > 0:
nodes[i].getparent().text = injectionPayload
return payloads
def fuzz(url,http_headers,soapRequests,identity):
results = []
session = requests.Session()
session.auth = identity
session.headers = http_headers
print("[i] Start the fuzzing...")
for i in tqdm(range(0,len(soapRequests))):
soapReq = soapRequests[i]
if soapReq == None:
fuzz_id = sha1(soapReq).hexdigest()
with open(fuzz_id + "-request.txt","wb") as f:
resp =, data=soapReq, verify=False)
results.append([fuzz_id, resp.status_code, len(resp.text), resp.elapsed.total_seconds()])
with open(fuzz_id + "-response.txt","w") as f:
except Exception as e:
results.append([fuzz_id, "ERROR: " + str(e), "NA",-1])
print("[i] Results:")
print(tabulate(results,headers=["Fuzz ID", "Response code", "Response size in bytes", "Response time in seconds"], numalign="right", floatfmt=".2f"))
print("[!] See Requests/Responses files in the current folder for details.")
if __name__== "__main__":
# Load the sample SOAP request
print("[i] Load the sample SOAP request and extract the parts...")
with open("sample.raw", "r") as f:
req =
# Extract the URL/SOAPAction/SOAPRequest (HTTP body)
target_url = req[0].split(" ")[1].strip()
xml = ""
body_part = False
for line in req:
if "SOAPAction" in line:
soapAction = line.split(" ")[1].replace("\"","").strip()
elif len(line.strip("\n\r")) == 0:
body_part = True
if body_part:
xml += line
print("\tTarget URL: %s" % target_url)
print("\tSOAPAction: %s" % soapAction)
# Generate the list of test requests
print("[i] Generate the list of test requests...")
payloads = generate_payloads_set(xml,"T")
# Configure and start fuzzing
# See below for others authentication mode:
identity = HttpNtlmAuth("DOMAIN\\USER","PASSWORD")
http_headers = {"SOAPAction": soapAction, "Content-Type": "text/xml; charset=utf-8"}
fuzz(target_url, http_headers, payloads, identity)
print("[i] Fuzzing finished.")

This comment has been minimized.

Copy link
Owner Author

@righettod righettod commented Aug 14, 2019

Usage example using this sample SOAP web service:

$ python
[i] Load the sample SOAP request and extract the parts...
        Target URL:
[i] Generate the list of test requests...
[i] Start the fuzzing...
100%|███████████████████████████████████████████| 1/1 [00:00<00:00,  6.75it/s]
[i] Results:
Fuzz ID                                     Response code    Response size in bytes    Response time in seconds
----------------------------------------  ---------------  ------------------------  --------------------------
4681809274c3a0017d8f1b96e038dc3114b04f72              200                      2825                        0.14
[!] See Requests/Responses files in the current folder for details.
[i] Fuzzing finished.

$ ls -l *.txt

Content of the file sample.raw that contains the template request to use:
⚠️ The full URL must be on the first line POST http://....

Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 299
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: close

<soapenv:Envelope xmlns:soapenv="" xmlns:tem="">
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment