WSSAT is an open source tool that performs dynamic and static security assessments of SOAP and REST web services through configurable vulnerability scanning.
WEB SERVICE SECURITY ASSESSMENT TOOL
Organizations use WSSAT to conduct comprehensive security analyses of their web services by scanning multiple services simultaneously for vulnerabilities and information leakage. Security teams and auditors leverage its dynamic configuration to keep vulnerability checks up-to-date and generate overall security assessment reports to harden their web services.
WSSAT requires input in the form of WSDL address lists for SOAP services and supports REST API scanning in version 2.0; users should regularly update vulnerability configuration files to keep assessments current. It is recommended to run the tool in a controlled environment as some dynamic tests may impact service availability. Refer to the official wiki for detailed installation and usage instructions.
Visit the Installation guide at https://github.com/YalcinYolalan/WSSAT/wiki/Installation
Clone the repository from https://github.com/YalcinYolalan/WSSAT
Follow platform-specific setup instructions as detailed in the wiki
Ensure dependencies are installed as per the installation documentationProvide a WSDL address list file as input
Starts scanning all listed web services for vulnerabilities
Edit vulnerability configuration files
Add, update, or delete vulnerabilities dynamically without changing the code
Run dynamic tests including SQL Injection, XSS, XXE, and others
Performs active security testing against the target web services
Run static analysis on XML schemas and WS-SecurityPolicy
Detects weak configurations and insecure policies in service definitions
Generate security assessment reports
Outputs an overall security posture report for the scanned web services