Web Service & API Attacks - Skills Assessment

Here, my hints once I found the flag
1- Use one of the previous SOAP request scripts and adapt it
2- You will need to use single quote for SQLi so keep that in mind while you write your script
3- As @onthesauce said before, if nothing happen when you execute it means that it’s working so start to think about the SQLi payload.
4- Web Service Hacking | SOAP and WSDL you can find some great info here.

1 Like

Anyone have any tips on ho you found the flag? Having issues

check out @onthesauce write up above. He lays it out pretty clearly.

some other tips i can offer:

  • the lesson doesnt do a very good job at explaining how to interact with SOAP APIs in my opinion, but think of which method could be exploited for a SQL injection, then craft the right request for that method
  • SOAP APIs require you to talk to them in their convoluted language (as opposed to REST APIs which take in JSON) - get that request under your belt
  • the site wont respond even if the request has the required arguments in it (which is pretty annoying). Instead, it will respond to a request with the required arguments AND a malicious payload. I guess they did this to prevent automated scanners like SQLmap from making it too easy?
  • extra tip: if you want to use SQL map, learn about tweaking different injection techniques…one of these techniques works like the charm, the other ones run into that non responsive state