Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "WADL API - Detect" module is designed to detect the presence of a WADL API. WADL (Web Application Description Language) is an XML-based language used to describe the capabilities of a web service. This module targets WADL APIs and checks for misconfigurations or vulnerabilities that may be present.
This module has an informative severity level, meaning it provides valuable information but does not indicate a critical security issue.
This module was authored by 0xrudra and manuelbua.
The impact of the "WADL API - Detect" module is primarily informational. It helps identify the presence of a WADL API and provides insights into potential misconfigurations or vulnerabilities that may exist. By detecting these issues, organizations can take appropriate actions to secure their WADL APIs and prevent potential exploitation.
The "WADL API - Detect" module works by sending HTTP requests to specific paths associated with WADL APIs. It then applies matching conditions to analyze the responses and determine if the API matches the expected patterns.
For example, the module sends GET requests to paths such as "/application.wadl" and "/api/application.wadl" to check for the presence of a simplified WADL with user and core resources. It also sends OPTIONS requests to paths like "/api/v1" and "/api/v2" to gather additional information about the API.
The module uses matchers, such as the "http-get" and "http-options" matchers, to search for specific words or phrases in the responses. If the expected patterns are found, the module reports the detection of a WADL API.
It is important to note that this module does not perform any active exploitation or modification of the target system. It solely focuses on detecting the presence of a WADL API and providing information about its configuration.
For more information, you can refer to the following references:
- https://github.com/dwisiswant0/wadl-dumper - https://www.nopsec.com/leveraging-exposed-wadl-xml-in-burp-suite/