SOAP Services Home Page

SOAP WS Login Service Documentation

The SOAP WS Login Service allows clients to authenticate using their client_id and client_secret, receiving a JSON Web Token (JWT) for further interaction with secured services.

Endpoint

POST /webservices/soap/ws-login.php

Request Parameters

Example Request Using Burp Repeater

Here’s how to send a SOAP request to the login service using Burp Repeater:

POST /webservices/soap/ws-login.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:ws-login#login"
Content-Length: [length]
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                   xmlns:urn="urn:ws-login">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:login>
         <client_id>fb975a0e0248994221b3a6e87ba92fe9</client_id>
         <client_secret>f1d10934f1525ebfdf0b08a2413a3a3f683eaae3913489c786e496e403ab7bff</client_secret>
         <audience>http://mutillidae.localhost/webservices/soap/ws-user-account.php</audience>
      </urn:login>
   </soapenv:Body>
</soapenv:Envelope>

Instructions:

  1. Open Burp Suite and navigate to the Repeater tab.
  2. Copy the above request and paste it into the Repeater window.
  3. Update the Content-Length header to match the byte size of the body.
  4. Click Send to see the response.

Example Request Using curl

If you prefer using the command line, here’s how to send the same request with curl:


        curl -X POST "http://mutillidae.localhost/webservices/soap/ws-login.php" \
        -H "Content-Type: text/xml; charset=utf-8" \
        -H "SOAPAction: "urn:ws-login#login"" \
        --data '<?xml version="1.0" encoding="UTF-8"?>
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:ws-login">
           <soapenv:Header/>
           <soapenv:Body>
              <urn:login>
                 <client_id>fb975a0e0248994221b3a6e87ba92fe9</client_id>
                 <client_secret>f1d10934f1525ebfdf0b08a2413a3a3f683eaae3913489c786e496e403ab7bff</client_secret>
                 <audience>http://mutillidae.localhost/webservices/soap/ws-user-account.php</audience>
              </urn:login>
           </soapenv:Body>
        </soapenv:Envelope>'

Instructions:

  1. Open a terminal or command prompt.
  2. Copy and paste the above curl command.
  3. Replace fb975a0e0248994221b3a6e87ba92fe9 and f1d10934f1525ebfdf0b08a2413a3a3f683eaae3913489c786e496e403ab7bff with valid values.
  4. Press Enter to send the request and view the response.

Expected Response

Upon successful authentication, the server will respond with a JWT token:

<?xml version="1.0"?>
<response>
   <access_token>your-jwt-token</access_token>
   <token_type>bearer</token_type>
   <expires_in>3600</expires_in>
   <timestamp>2024-11-18T12:00:00Z</timestamp>
</response>

Using the JWT Token in Subsequent Requests

After obtaining the token, include it in the Authorization header for future SOAP or REST requests. For example:

Example Using curl

To call an authenticated endpoint, such as ws-user-account:


        curl -X POST "http://mutillidae.localhost/webservices/soap/ws-user-account.php" \
        -H "Content-Type: text/xml; charset=utf-8" \
        -H "SOAPAction: "urn:ws-user-account#getUser"" \
        -H "Authorization: Bearer your-jwt-token" \
        --data '<?xml version="1.0" encoding="UTF-8"?>
        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:ws-user-account">
           <soapenv:Header/>
           <soapenv:Body>
              <urn:getUser>
                 <username>some-user</username>
              </urn:getUser>
           </soapenv:Body>
        </soapenv:Envelope>'

Example Using Burp Repeater

To include the token in Burp Suite:

  1. Paste the token in the Authorization header of your request:
    2. Authorization: Bearer your-jwt-token
  2. Send the request to a secured endpoint.
Troubleshooting Tips: