Home Page

SOAP Web Services - Documentation Hub

Welcome to the SOAP Web Services documentation. Below, you will find links to detailed documentation pages for each available SOAP service. Click on a service to explore its methods, example requests, and troubleshooting tips.

Note for Beginners: SOAP (Simple Object Access Protocol) services use XML-based messaging for communication. This documentation provides detailed examples on how to interact with these services using tools like Burp Repeater and curl.

Available SOAP Services

WS DNS Lookup Service - Performs DNS lookups for specified hostnames.
WS Echo Service - A simple echo service to test message transmission.
WS Test Connectivity Service - Verifies connectivity with the API.
WS User Account Service - Manages user accounts (CRUD operations).
WS Login Service - Authenticates clients and returns a JWT for further requests.

Understanding Security Levels and Authentication

This system has multiple security levels that affect access to the web services:

Security Level 0 - No authentication required. You can send requests without any additional headers or tokens.
Security Level 1 or Higher - Authentication with a JWT token is required for all services except ws-login. You must obtain a JWT token by logging in through the ws-login endpoint using your client_id and client_secret.

Important: At security level 1 or higher, you must include a JWT token in the Authorization header for each request. Without a valid token, you will receive a 401 Unauthorized error.

Step-by-Step Guide to Using JWT Authentication

Log In to Obtain a JWT Token: Send a POST request to the WS Login Service using your client_id and client_secret to authenticate. If successful, the response will include a JWT token.

Example (curl):

curl -X POST http://mutillidae.localhost/webservices/soap/ws-login.php \
-H "Content-Type: text/xml" \
--data "<soapenv:Envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' \
xmlns:urn='urn:ws-login'>
   <soapenv:Header/>
   <soapenv:Body>
      <urn:login>
         <client_id>your-client-id</client_id>
         <client_secret>your-client-secret</client_secret>
         <audience>target-audience-url</audience>
      </urn:login>
   </soapenv:Body>
</soapenv:Envelope>"

The response will include a token in the format:

{
  "access_token": "your-jwt-token-here",
  "token_type": "bearer",
  "expires_in": 3600,
  "timestamp": "2024-11-17T19:30:00Z"
}

Save the Token: Copy the JWT token from the response and store it securely. You will need to include it in the Authorization header of each authenticated request.
Include the Token in Requests: When calling any authenticated endpoint, include the token in the Authorization header using the format Bearer <your-token>.

Examples of Making Authenticated Requests

Using curl

Below is an example of an authenticated request using curl:

curl -X POST http://mutillidae.localhost/webservices/soap/ws-user-account.php \
-H "Content-Type: text/xml" \
-H "Authorization: Bearer <your-token>" \
--data "<soapenv:Envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' \
xmlns:urn='urn:ws-user-account'>
   <soapenv:Header/>
   <soapenv:Body>
      <urn:getUser>
         <username>john</username>
      </urn:getUser>
   </soapenv:Body>
</soapenv:Envelope>"

Using Burp Suite

To send an authenticated request in Burp Suite:

Open Burp Suite and navigate to the Repeater tab.

Enter the URL in the Request line, such as:

POST /webservices/soap/ws-user-account.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: text/xml
Authorization: Bearer your-jwt-token-here

In the Headers section, ensure the Authorization header is included:
```
Authorization: Bearer your-jwt-token-here
```
Click Send to submit the request. If the token is valid, you will receive a successful response from the server.

How to Use the Services

Each service page provides:

An overview of the service functionality.
Examples of requests using Burp Repeater and curl.
Details about the expected response from the service.
Troubleshooting tips in case of issues.

Troubleshooting Common Issues

401 Unauthorized: Make sure your request includes a valid JWT token in the Authorization header. If you haven't obtained a token yet, refer to the "Log In to Obtain a JWT Token" section.
400 Bad Request: Verify that your request follows the correct SOAP structure and all required parameters are included. Missing or incorrectly formatted parameters can cause this error.
500 Internal Server Error: This usually indicates a server-side issue. Check the SOAP response for detailed error messages and ensure the server is functioning correctly.

If you encounter other issues, please consult the documentation or contact support for assistance.