"This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn’t have much time to do the test, so I had a couple advantages, like having network access to the service, the WSDL and also ability to interact with the developers. This also gave me a chance to see how capable our web application firewall was at being able to detect attacks.
I had some trouble with WSFuzzer, and kept getting “XML Fault” errors like the one below:
There was an anomaly encountered in interfacing with the provided target. The neuroFuzz team is aware of these situational conditions and we are looking into the root cause(s) …
If you would like to help with this type of research send the following data along with some details about the target service to firstname.lastname@example.org
Response: XML Fault
Ok, no big deal — I’ll just write my own! I loaded up soapUI and put in the WSDL address, and soapUI was able to generate the XML requests according to the WSDL. soapUI automatically puts a question mark placeholder into the input areas, so I then saved these as individual XML files — one for each service method."