WSSAT
by YalcinYolalan
WSSAT is an open source tool that performs dynamic and static security assessments of SOAP and REST web services through configurable vulnerability scanning.
WEB SERVICE SECURITY ASSESSMENT TOOL
Primary Use Case
Organizations use WSSAT to conduct comprehensive security analyses of their web services by scanning multiple services simultaneously for vulnerabilities and information leakage. Security teams and auditors leverage its dynamic configuration to keep vulnerability checks up-to-date and generate overall security assessment reports to harden their web services.
- Dynamic testing of SOAP and REST APIs for vulnerabilities such as SQL Injection, XSS, XXE, and insecure communication
- Static analysis of XML schemas and WS-SecurityPolicy configurations
- Information disclosure detection including server and technology fingerprinting
- Dynamic vulnerability management via editable configuration files
- Batch processing of multiple web services using WSDL address lists
- Modular architecture including parser, vulnerability loader, analyzer/attacker, logger, and report generator
- Support for both SOAP and REST API security assessments
- Generation of comprehensive security assessment reports
Installation
- Visit the Installation guide at https://github.com/YalcinYolalan/WSSAT/wiki/Installation
- Clone the repository from https://github.com/YalcinYolalan/WSSAT
- Follow platform-specific setup instructions as detailed in the wiki
- Ensure dependencies are installed as per the installation documentation
Usage
>_ Provide a WSDL address list file as inputStarts scanning all listed web services for vulnerabilities
>_ Edit vulnerability configuration filesAdd, update, or delete vulnerabilities dynamically without changing the code
>_ Run dynamic tests including SQL Injection, XSS, XXE, and othersPerforms active security testing against the target web services
>_ Run static analysis on XML schemas and WS-SecurityPolicyDetects weak configurations and insecure policies in service definitions
>_ Generate security assessment reportsOutputs an overall security posture report for the scanned web services
- Integrate WSSAT into CI/CD pipelines for automated, continuous API security testing.
- Use WSSAT reports to prioritize patching and hardening efforts on web services.
- Combine WSSAT dynamic scanning with static code analysis tools for comprehensive API security coverage.
- Leverage the modular vulnerability loader to customize and extend vulnerability checks as new threats emerge.
- Incorporate WSSAT findings into purple team exercises to improve detection and response capabilities.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about WSSAT. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
caddy
caddyserver/caddy
Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
nginx
nginx/nginx
The official NGINX Open Source repository.
nginxconfig.io
digitalocean/nginxconfig.io
⚙️ NGINX config generator on steroids 💉
SafeLine
chaitin/SafeLine
SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits.
DOMPurify
cure53/DOMPurify
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
anubis
TecharoHQ/anubis
Weighs the soul of incoming HTTP requests to stop AI crawlers