We have to intercept the request of WSDL in Burp. Follow these steps to do so:
- Right-click the request and select Parse WSDL:
- Switch to the Wsdler tab and you will see all the service calls. We can review the complete request by clicking on it:
- To be able to play around with it, we need to send it to the repeater:
- Right-click and select Send to Repeater:
- Putting a single quote in tem:json throws an error. And voila! We have an SQL Injection:
- The following screenshot shows the response of the server with the SQL error:
- We will learn more about exploiting SQL in Chapter 4, Web App Exploitation – Beyond OWASP Top 10.