WS-Attacker: The Academic Framework That Hacks SOAP Services at the XML Layer
Hook
While the world moved to REST APIs, enterprise systems still run SOAP services protected by XML signatures that can be bypassed using research-grade exploits developed by academic security researchers.
Context
SOAP web services dominated enterprise integration in the 2000s, protected by WS-Security standards like XML Signature and XML Encryption. Researchers at Ruhr University Bochum published attacks that broke these protections systematically, including XML Signature Wrapping attacks that could bypass authentication and various XML encryption vulnerabilities. The problem was that these attacks existed primarily in academic papers. Penetration testers needed runnable implementations to test real enterprise systems. WS-Attacker emerged from this gap: a collaboration between the Chair of Network and Data Security at Ruhr University Bochum and Hackmanit GmbH to implement peer-reviewed attacks against SOAP services. While tools like Burp Suite could intercept SOAP traffic, they lacked the specialized logic to construct signature-wrapped messages or orchestrate adaptive XML encryption attacks. WS-Attacker became the bridge between academic security research and practical penetration testing.
Technical Insight
WS-Attacker follows a plugin architecture built atop the SoapUI framework. The core engine handles WSDL parsing and SOAP message construction—the tedious plumbing work—while attack-specific logic lives in modular plugins. This separation means you can extend the framework with custom attacks without touching the SOAP protocol machinery.
Getting started requires cloning the repository and building with Maven. The README provides explicit instructions that highlight the Java 7/8 dependency:
$ git clone https://github.com/RUB-NDS/WS-Attacker.git
$ cd WS-Attacker
$ mvn clean package -DskipTests
$ cd runnable
$ java -jar WS-Attacker-1.9-SNAPSHOT.jarOnce running, you point WS-Attacker at a WSDL file. The framework parses the service definition, discovers operations, and generates template SOAP requests. This is where the plugin architecture shines. Rather than manually crafting malicious XML, you select an attack plugin and let it manipulate the SOAP envelope.
The current version supports several attack categories documented in the README. XML Signature Wrapping represents one of the flagship attacks. SOAP services using WS-Security verify XML signatures to authenticate messages. The signature references specific XML elements by ID. The attack works by duplicating signed elements, modifying the copies, and exploiting parsing inconsistencies between signature verification and application logic. One component sees the legitimate signed data; another processes your malicious payload.
WS-Attacker’s implementation automates signature wrapping variants documented in the researchers’ thesis work (available in PDF form). The plugin analyzes the SOAP envelope structure, identifies signed elements, and generates wrapping transformations to test which variants successfully bypass the target service’s signature verification.
The XML Encryption attack plugins target vulnerabilities in XML Encryption implementations. According to the README and associated blog posts, WS-Attacker implements adaptive chosen-ciphertext attacks against XML Encryption. These are stateful attacks requiring multiple carefully crafted requests, analyzing error responses to exploit encryption weaknesses.
The framework also includes DoS attack plugins targeting XML parser vulnerabilities. The README specifically mentions XML-based DoS attacks and AdIDoS (Adaptive and Intelligent Denial-of-Service). These test various resource exhaustion vectors and measure which techniques consume server resources effectively.
Additionally, WS-Attacker supports SOAPAction spoofing and WS-Addressing spoofing attacks as documented in the attack list.
What distinguishes WS-Attacker from general-purpose security tools is its research foundation. These implementations are based on academic papers that documented the vulnerabilities, providing attack fidelity beyond simple fuzzing approaches.
Gotcha
WS-Attacker’s specialization is both strength and limitation. It exclusively targets SOAP services using WS-Security standards. If you’re testing REST APIs, GraphQL endpoints, or even basic SOAP services without WS-Security, this framework offers minimal value. The tool doesn’t speak JSON, can’t parse OpenAPI specifications, and has no understanding of modern API authentication patterns like OAuth2 or JWT.
The codebase shows its age. The requirement for Java 7/8 and the v1.8 release tag suggest development has matured but may face compatibility questions with current Java versions. The Travis CI badge indicates some maintenance activity. The documentation is scattered across PDFs, blog posts, and academic papers rather than consolidated in a single knowledge base. The README points to a 2012 thesis PDF and 2015 blog posts for understanding specific features, which creates friction compared to modern documentation approaches.
Performance may be a consideration with adaptive attacks that require multiple requests with response analysis. Against rate-limited services or high-latency networks, attacks that work in lab environments may require adjustment. The framework’s design focuses on attack correctness rather than distributed execution or sophisticated retry mechanisms.
Verdict
Use if: You’re penetration testing enterprise systems running SOAP services with WS-Security implementations (XML Signature, XML Encryption), you need research-quality attack implementations rather than proof-of-concept exploits, or you’re conducting security research on XML-based protocol vulnerabilities and need a foundation for custom attacks. WS-Attacker excels in specialized scenarios where its academic foundation matters—demonstrating cryptographic bypasses with implementations grounded in peer-reviewed research. The framework’s plugin architecture also makes it extensible for custom WS-Security attack development. Skip if: You’re testing modern REST/JSON APIs or GraphQL services, you need tooling with consolidated current documentation rather than scattered academic papers and blog posts, you’re working in environments requiring the latest Java versions or containerized tooling, or you need general-purpose web application security testing beyond the SOAP/XML domain. The framework’s laser focus on WS-Security attacks means it addresses a narrow but important niche in web service security.
