API HACKING SECRET 4 | FINDING API ENDPOINT USING WSDL

Nitesh Pandey
4 min readMay 27, 2020

--

In this part, I will teach you how to extract endpoints from the WSDL file so let's get started.

So for finding the endpoint you need a WSDL file and if you are reading this you must have read my previous parts of API hacking and i assume that you have the WSDL file. If you don’t know how to find the WSDL file you can go to the API hacking secret part three and you will know how to find the WSDL file.

So, Let's get started……………………….

For parsing the endpoint from WSDL file you need three things

WSDL file

Burp Suite

WSDLER

We know about the WSDL file and Burp suite but

what is WSDLER?

WSDLER is a burp suite extension used to parse the WSDL file so let us first see how to install wsdler in burp suite properly.

Bwapp store wsdler link https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f

How to install WSDLER in burp suite?

STEP 1: Fire up burp suite and navigate to the Extender tab and then click on the Bwapp store.

STEP 2: Find wsdler addon by scrolling down in bwapp store and click on Install button as shown in the image below.

It will take up to 1 min depending upon your internet speed to download and install it into your burp suite.

Post-installation you will see one more tab named WSDLER as shown in the image below.

Now we have the required tool to parse the END-POINT let us now move forward and see how to extract endpoint from the WSDL file.

FINDING THE ENDPOINTS

STEP 1: Find the base URI where the WSDL file is stored. As shown in the below image.

STEP 2: Now once you have the base URI let us now proxy it through our burp suite just by turning our proxy on in burp and refresh the browser. As shown in the below image

The first thing to intercept request you must turn on the proxy by clicking on Intercept is on the button in the proxy tab. Now we need to go to our browser and click on the refresh. As shown in below image

Now As soon as you will click on refresh burp will intercept the request and it will prompt up like as shown in the below image.

Now once you see this screen in burp you done everything perfectly now let us see how to extract the endpoints.

So, for extracting the endpoint you will right click your mouse on the proxied request as shown in the below image. and then click on parse wsdl it will take a while processing

Upon the parse is complete you will be greeted with the endpoints.As shown in the below image.

So, now you can see you have the endpoints.

In this post, i want to stick to How to parse the WSDL file and how to extract endpoints in the next writeup i will take you deep inside endpoint.

If still you face some issue installing and parsing endpoint visit my youtube channel and in API hacking playlist you will find the video for parsing the endpoint

https://www.youtube.com/watch?v=fQKQ2DMFelg

Some people ask me to skip basic thing but i want to cover everything as most of my readers are new in bug bounty and hacking and as i remember one line from stock sharing is caring.

See you all in the next writeup if you like my writeup let me know on Twitter or LinkedIn.

--

--

Nitesh Pandey
Nitesh Pandey

Responses (3)