Lesson Plan Title: How to Create a SOAP Request

 

Concept / Topic To Teach:

Web Services communicate through the use of SOAP requests. These requests are submitted to a web service in an attempt to execute a function defined in the web service definition language (WSDL). Let's learn something about WSDL files. Check out WebGoat's web service description language (WSDL) file.

 

General Goal(s):

Try connecting to the WSDL with a browser or Web Service tool. The URL for the web service is: http://localhostservices/SoapRequest The WSDL can usually be viewed by adding a ?WSDL on the end of the web service request.

 

Figure 1 - Lesson 21

 

Solution:

 

Click on the URL "WebGoat WSDL" to examine the Webservices Description Language file.

 

Figure 2 - WSDL

 

Count the number of operations like getFirstName. There are 4 operations defined.

 

Figure 3 Enter the ID

 

For the next question the getFirstNameRequest method uses an int as parameter type. Enter int and click "Submit".

 

Figure 4 Stage 2 Completed

 

Intercept the HTTP Request with WebScarab and click on the “Raw” tab. Make sure that “Intercept Responses” is selected.

 

  1. Change the POST header to open the SoapRequest:
    POST http://localhost/WebGoat/services/SoapRequest HTTP/1.1 (This will vary based on which ports you are using)
  2. Change the Content-Type to text/xml:
    Content-Type: text/xml
  3. Add a header SOAPAction.
    SOAPAction: (No value needs to be specified for this header)
  4. Append the XML envelope to the request:

<?xml version="1.0" encoding="UTF-8"?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <SOAP-ENV:Body>

    <ns1:getFirstName SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns1="http://lessons">

    <id xsi:type="xsd:int">101</id>

    </ns1:getFirstName>

  </SOAP-ENV:Body>

</SOAP-ENV:Envelope>


It is important that there is no whitespace (carriage returns or spaces) from the SOAPAction header to the opening XML tag. This generates an error instead of the desired response.

 

Figure 5 Updated HTTP request with SOAP parameters

 

The response is Joe.

Figure 6 Intercept response

 

 

 

Solution by Erwin Geirnaert ZION SECURITY