Fuzzing XML

Xmlfuzz is a fuzz-testing tool specifically designed to test XML services. The tool is not strictly oriented towards XMLRPC and SOAP, although these two types of services are well supported. In practice, Xmlfuzz is generic and can be used to test any web service which excepts XML input. Let's see how it works in practice.

Step 1

To start a test all you have to do is to specify an HTTP request, which contains a XML data structure for its body. You need to press the start button for the test to begin.

Step 2

Screenshot 01

Notice that the very first request generated by the tool is highlighted from the rest of the requests. This is known as the base request or otherwise, the original request you have specified when initiating the fuzz-test. The base request is recorded for your own reference and it comes very useful when analyzing the fuzz results. For example you may want to analyze the difference between each fuzz result compared to the base request.

Screenshot 02

Xmlfuzz is not linear. In other words there is no defined start and end when using the tool. There are only different stages. You can use the request editor to initiate a new fuzz-test within the current session at any point in time. You can even use any fuzz result from the generated transactions as the base requests for additional fuzz-tests. There are no limits to what you can do.

Step 3

The true power of the tool comes from the built-in analyzer. Every transaction generated by the tool is automatically analyzed for suspicious behavior. Some security issues are immediately reported and you will see notifications showing on the screen. The report screen will generate a report for all automatically identified issues. This report can be exported in all supported formats as usual.

Usage, Strategies and Comments

There are no limitations to how the tool can be used and what it can do. As long as your endpoint excepts XML for the body of a request, it can be successfully fuzzed by the tool.