In a .NET environment WCF services can use the proprietary WCF binary XML protocol described here. Microsoft uses this protocol to save some time parsing the transmitted XML data. If you have to (pen-) test such services, it would be nice to read (and modify) the communication between (for example) clients and servers. One possibility is Fiddler.
Fiddler’s strengths include its extensibility and its WCF binary plugins. Sadly, these plugins can only decode and display the binary content as XML text.
Our first tool of choice for webapp pentests (Burp Suite) has also a plugin feature, and one can also find plugins for decoding (and encoding XML back to) WCF binary streams. But all WCF binary plugins out there are based on the .NET library which means one either has to work on MS Windows or with Mono. Another disadvantage is the validation and auto-correction feature of such libraries… not very useful for penetration testing 😉
That’s why we decided to write a small python library according to Microsoft’s Open Specification which enables us to decode and encode WCF binary streams. The library has a rudimentary commandline interface for converting XML to WCF binary and vice versa, as well as a plugin for our python-to-Burp plugin (pyBurp).
The commandline interface consists of two python scripts:
||./wcf2xml.py example.bin./wcf2xml.py < example.bin|
||./xml2wcf.py example.xml./xml2wcf.py < example.xml|
In combination with our python-to-Burp plugin (pyBurp) you can decode, edit and encode WCF-
Binary streams on the fly.
At the moment you’ll need three Burp instances to use all Burp features. The first one (“Client-Burp”) decodes/encodes the data from/to the client. The second one (“Cleartext-Burp”) operates on the
XML like it was a normal request/response. The third one (“Server-Burp”) encodes/decodes the data to/from the server.
A setup without the “Cleartext-Burp” is also possible, but we experienced problems in combination with some Burp features like auto replace.
We are currently working on a one-Burp-solution, but we’ll have to understand the exact communication flow inside of Burp first and how we can interact with it (without breaking some things).
After setting up pyBurp, one only has to connect to the current Burp instance, change the current root directory to the path were pyWCFBin is located and then load the WcfPlugin:
$ nc localhost 55666 cd /home/foo/Downloads/pyWCFBin add WcfPlugin quit $
The pyWCFBin plugin must only be used on the Client-Burp and Server-Burp.
- Sourcecode: pyWCFBin.tar.gz
- SHA1: c60f9f52c735e750a35b19cda6b99c7ad6d5742a
- MD5: 4b00f82cfee686c5886a9e1ed93bdc48
We hope some of you find this library useful when working with WCF Services. We’re happy to receive any feedback or bug reports in case you find some 😉
Merry Christmas and a happy new year to everybody