Burp Suite Plugin: WCF Binary SOAP Scanner Insertion Point

In a previous post, I showed how the Burp Suite API can be used to view and modify WCF Binary SOAP messages to assist with manual testing and analysis.  Next, I wanted to allow Burp to perform automated scans on WCF Binary SOAP requests. This post demonstrates use of the Scanner Insertion Point Provider to accomplish that goal.

There are two roles that the plugin must fulfill.  First, the plugin must identify potential insertion points for scanner payloads. Second, the plugin must accept attack payloads from Burp and construct valid requests containing them. Insertion points are identified by decoding the WCF Binary SOAP message (into an XML format) and iterating through the DOM to identify nodes that contain text. Each of these nodes is then sent back to Burp as a WCFBinaryInsertionPoint instance. Once Burp is ready to scan the URL, it passes attack payloads to each instance of WCFBinaryInsertionPoint it received.  The original request is then decoded, the payload is inserted into the correct XML node, and the request is re-encoded and returned to Burp.

I verified the solution by chaining two instances of Burp together and watching scanner traffic.  In the second Burp instance, I could watch WCF Binary SOAP requests being sent to the server containing the attack payload in the correct XML node.  I then ensured that the response did not contain an exception indicating that the server could not understand the message. One item I did not verify was whether or not Burp could successfully identify vulnerabilities in the responses since they are still in a WCF Binary SOAP format.  My guess would be that any signatures that match error messages like “System.Data.SqlClient.SqlException: Unclosed quotation mark” would still succeed. Results could likely be improved by registering an HTTP Listener within burp that automatically decodes responses for the Scanner if they have a content type of “application/msbin1”.

Previously, I mentioned that stack traces for run-time exceptions in Burp only referenced obfuscated class names. Before writing this plugin, I upgraded to the latest version (1.5.04 at the time) and noticed that this has changed.  Stack traces are now very helpful and greatly reduce the amount of debugging time required.

The plugin code is available as a gist at:

Previous Burp Plugin: Burp Suite Plugin: View and Modify WCF Binary SOAP Messages