forked from RUB-NDS/WS-Attacker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG.txt
123 lines (101 loc) · 4.27 KB
/
CHANGELOG.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
================
19. January 2017
================
New Compression DoS Attack based on In the Compression Hornet’s Nest: A Security Study of Data Compression in Network Services"
- Thanks to RemiMHFU for pulling
Bugfix for XXE
- Thanks to putsi
Proxy fixes
- Should now work with Burp Suite with all plugins
===============
10. July 2015
===============
New Intelligent Denial-of-Service Plugin (by Christian Altmeier):
- Fully automatic detection of DoS Weaknesses
- Detects Thresholds
- Improved time measurement ("last byte sent" till "first byte received")
Framework Changes
- Support for plugin icons
===============
12. May 2015
===============
New XML-Encryption Attack Plugin (by Dennis Kupser):
- Automatically detects XML-Encryption Attack countermeasures
- Attacks symmetric XML-Encryption (http://nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf)
- Attacks asymmetric XML-Encryption via Bleichenbacher Fault Oracle (http://nds.rub.de/media/nds/veroeffentlichungen/2012/12/19/XMLencBleichenbacher.pdf)
Many Bugfixes
===============
19. March 2015
===============
Framework Changes:
- The code design was a bit out-dated since 2009. Thus, it is heavily
refactored. Most important change: Almost every component like
AbstractPlugin or AbstractOption are now using the Java bean concept.
This was needed to improve the UI.
- New Plugin Configuration Screen, new UI Components for Options
- New Request/Response GUI
- Support for additional/custom HTTP Headers
- Shows response HTTP Headers
- URL Endpoint is now changeable
- Simplyfied maven structure
- Added custom checkstyle rules
- Bumped SoapUI to version 4.6.4
- Framework now saves last used WSDL URI
- Code improvements and Bug Fixes (thanks to Christian Altmeier)
- Proxysupport
=============
24. Juni 2013
=============
New XML-Denial-of-Service Plugin (by Andreas Falkenberg):
- Various Attack Techniques
-Coercive Parsing
-Hash Collision Attack (DJBX31A, DJBX33A, DJBX33X)
-SOAP Array Attack
-XML Attribute Count Attack
-XML Element Count Attack
-XML Entity Expansion Attack
-XML External Entity Attack
-XML Overlong Element Names
- After the attack is finished, right click on the Plugin in the "Attack
Overview" to see more details!
General:
- Splitted Signature Wrapping Plugin into a "Plugin" and its "Library Functions"
- Library is independent of Main WS-Attacker Framework
Signature Wrapping Plugin improved:
- Now it is possible to right click on the Plugin in the "Attack Overview"
to slide through all XSW possibilities
Signature Wrapping Library improved:
- Improved compatibility when Signatures sign Signatures (Usefull e.g. for
SAML Responses which sign SAML Assertions)
- New and better XML Schema Analyzer
New Signature Faking Library (by Juraj Somorovsky):
- Creates a new Signature Value for a given XML Signature by using a newly
created Fake Certificate
- Yet only available as a Library (No WS-Attacker Plugin available)
Framework Changes:
- Very small GUI improvements
- lalib-checkboxtree library now added locally because of Maven repository
changes
=================
05. November 2012
=================
Signature Wrapping Plugin improved:
- SAML over SOAP Working
- XSW-IDs now randomly chosen instead of prepending the string "atk-"
- It is now possible to analyse responses. To do this, right-click on the XSW plugin in the Attack-Overview Button after the attack is finished.
Framework Changes:
- Some GUI Elements have been recreated using Netbeans Form Designer (Matisse)
- Support for plugin functions -> See XSW response analysis
- Libraries are now used in a "lib" folder instead of repacking it into the JAR
============
4. July 2012
============
Added XML Signature Wrapping Plugin:
- Technique for automatically attacking XML Signature protected Web Services
- Just set the endpoint and follow the instructions on the Plugin Config screen
Framework Changes:
- Options Window is now Scrollable
- Some minor changes.
Release Note:
- Now only one format (zip) available
- Source Code can be checked in GIT Repository