AnsweredAssumed Answered

WAS Authetication on Web services (WSDL/SOAP)

Question asked by D3al on Apr 29, 2014
Latest reply on Apr 30, 2014 by fmc



Im trying to do a internal scan on a Corporate Web Application using WAS but Im unable to get authentication to work.


The application is based on Web Services.


First I tried to do a Selenium script, but Selenium doesnt save the login parameters.


The main page is something like this:


The page is developed on Flash, cant see the source code so with Burp I saw that the app do the following:


1. Call to a config file located on







    <tns:rolesUser xmlns:tns="">




If I put the WAS Scan (discover/vulnerability) since the root (, with a custom authentication fields the result is that the authentication was not used.


If I put the WAS Scan (diuscover/vulnerability) since the ".asmx", only do a scan for that URL.


The body of WebApp application is over another path. I can do a selenium script navigating on the operational layer but without authentication.


Please yout help with this.