Burp WS-Security

December 11, 2019 · View on GitHub

This extension calculate a valid WS security token for every request (In Proxy, Scanner, Intruder, Repeater, Sequencer, Extender), and replace variables in theses requests by the valid token. It follow Web Services Security (WS-Security, WSS) published by OASIS

Using Burp WS-Security

  • This extension only change requests targeting in scope item. So you need to add the target in the scope.
  • Go to the WSSecurity tab, fill the password field, choose if you need the nonce to be base64 encoded or not.
  • Click “Turn WS-Security ON”. Now, for every request in scope, a valid security token will be created.
  • In your request
      #WS-SecurityPasswordDigest will be replaced by the Password Digest
      #WS-SecurityNonce will be replaced by the Nonce
      #WS-SecurityCreated will be replaced by the correct time
      #WS-SecurityUUID will be replaced by a random UUID
  • This extension will log in the Extender UI every request after change if you need to debug.

    • Screenshot