A simple tool for testing API endpoints pulled from Web Application Description Language (WADL) files.
Project description
The WADLer
The WADLer is a quick and dirty Python POC script for quickly testing API endpoints pulled from Web Application Description Language (WADL) files. WADL files are XML files that contain API definitions for REST APIs. They outline API paths, needed parameters, HTTP methods, supported data formats, etc.
The WADLer allows you to quickly send a single request to each API endpoint from a remote or local WADL file with test data for each defined parameter. This can be helpful for finding endpoints that allow you to interact with them without authentication en-masse.
Installation
Only tested on python 3.12.3.
Use poetry, pipx, or a similar tool to install PacketHuffer:
poetry install
pipx install .
Usage
Always proxy your traffic through burp, so you can understand the requests made, and have a log of any actions taken. Test the script on a local server before running it on the target to make sure you understand what it's doing, and that your proxy works.
Testing from a local WADL file, sleeping 1.5sec between requests, while proxying traffic through burp, without following redirects:
wadler --no-verify-ssl --http-proxy http://127.0.0.1:8080 --https-proxy http://127.0.0.1:8080 -v --sleep 1.5 --no-follow-redirects -o output.json application.wadl
Testing from a remote WADL file, sleeping 1.5sec between requests, while proxying traffic through burp, without following redirects:
wadler --no-verify-ssl --http-proxy http://127.0.0.1:8080 --https-proxy http://127.0.0.1:8080 -v --sleep 1.5 --no-follow-redirects -o output.json https://foo.bar/api/application.wadl
Full help output:
usage: WADLer [-h] [-o OUTPUT] [-v] [--endpoint ENDPOINT] [--method METHOD] [--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY] [--username USERNAME]
[--password PASSWORD] [--token TOKEN] [--no-follow-redirects] [--sleep SLEEP] [--timeout TIMEOUT] [--no-verify-ssl] [--json] [--form]
[--user-agent USER_AGENT] [--accept ACCEPT] [-H HEADER]
wadl_source
WADL API self.parser and Tester
positional arguments:
wadl_source Path to WADL file or URL
options:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
Output file for results (JSON)
-v, --verbose Verbose output
Filtering Options:
--endpoint ENDPOINT Only test endpoints containing this string (comma-separated for multiple)
--method METHOD Only test these HTTP methods (comma-separated, e.g. GET,POST)
Proxy Configuration:
Proxying will be enabled if one or more proxy URLs are supplied.
--http-proxy HTTP_PROXY
HTTP proxy URL (e.g., http://proxy:8080)
--https-proxy HTTPS_PROXY
HTTPS proxy URL (e.g., http://proxy:8080)
Authentication:
Basic authentication will be selected if a username and password is provided. Bearer token authentication will be selected in a token is provided.
--username USERNAME Username for Basic authentication
--password PASSWORD Password for Basic authentication
--token TOKEN Token for Bearer authentication
Request Configuration:
--no-follow-redirects
Don't follow redirects
--sleep SLEEP Time to wait between requests in seconds
--timeout TIMEOUT Request timeout in seconds
--no-verify-ssl, -k Disable SSL certificate verification
--json Send request body as JSON
--form Send request body as form data
--user-agent USER_AGENT
User-Agent header
--accept ACCEPT Accept header
-H HEADER, --header HEADER
Additional headers (Key: Value)
Dealing with the Output
The WADLer will print a report to the CLI, but also has options for JSON output.
Example JSON output:
[
{
"method": "GET",
"url": "http://localhost:8000/users",
"status_code": 200,
"reason": "OK",
"response_time": 0.006547,
"response_size": 48,
"response_body": {
"message": "Fetched users",
"filter": "test_role"
}
},
{
"method": "POST",
"url": "http://localhost:8000/users",
"status_code": 200,
"reason": "OK",
"response_time": 0.004864,
"response_size": 54,
"response_body": {
"message": "User created",
"user": {
"body": "test_body"
}
}
},
{
"method": "PUT",
"url": "http://localhost:8000/users/123",
"status_code": 200,
"reason": "OK",
"response_time": 0.003647,
"response_size": 66,
"response_body": {
"message": "User updated",
"id": 123,
"updated": {
"body": "test_body"
}
}
},
]
A quick jq command to parse out API endpoints with valid responses:
# Pull out full info
jq '[.[] | select(.status_code == 200).url]' output.json
# Pull out URLs only
jq '[.[] | select(.status_code == 200).url]' output.json
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file wadler-0.1.0.tar.gz.
File metadata
- Download URL: wadler-0.1.0.tar.gz
- Upload date:
- Size: 10.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4dee47f9ad22e9bbccec79cb4f1e8e720a44086f520831c43d4626708a385485
|
|
| MD5 |
d03dab309ad436b4d81e67fbc7036dbf
|
|
| BLAKE2b-256 |
34b9cd615b69d4b1dbd8a42ca2a3b7048cc95d0ea740a9bdc5cb0783a4e2aa50
|
Provenance
The following attestation bundles were made for wadler-0.1.0.tar.gz:
Publisher:
pypi-publish.yaml on SecurityRiskAdvisors/WADLer
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wadler-0.1.0.tar.gz -
Subject digest:
4dee47f9ad22e9bbccec79cb4f1e8e720a44086f520831c43d4626708a385485 - Sigstore transparency entry: 1927056455
- Sigstore integration time:
-
Permalink:
SecurityRiskAdvisors/WADLer@3dda1d43cf695e497768e08d517d812234fc9879 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/SecurityRiskAdvisors
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish.yaml@3dda1d43cf695e497768e08d517d812234fc9879 -
Trigger Event:
release
-
Statement type:
File details
Details for the file wadler-0.1.0-py3-none-any.whl.
File metadata
- Download URL: wadler-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4c34ce06afe0a0220c7b8be2660bdff253f158c5fe03ed1e06ab54c79a857998
|
|
| MD5 |
1b2a6fa61372149407e76a74a85fc614
|
|
| BLAKE2b-256 |
b881d70f69156de9b2f55b6d24952a5b99ae539ef4be3ba9a635c3b3622f4efe
|
Provenance
The following attestation bundles were made for wadler-0.1.0-py3-none-any.whl:
Publisher:
pypi-publish.yaml on SecurityRiskAdvisors/WADLer
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wadler-0.1.0-py3-none-any.whl -
Subject digest:
4c34ce06afe0a0220c7b8be2660bdff253f158c5fe03ed1e06ab54c79a857998 - Sigstore transparency entry: 1927056890
- Sigstore integration time:
-
Permalink:
SecurityRiskAdvisors/WADLer@3dda1d43cf695e497768e08d517d812234fc9879 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/SecurityRiskAdvisors
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi-publish.yaml@3dda1d43cf695e497768e08d517d812234fc9879 -
Trigger Event:
release
-
Statement type: