Skip to main content

A simple tool for testing API endpoints pulled from Web Application Description Language (WADL) files.

Project description

The WADLer

The WADLer is a quick and dirty Python POC script for quickly testing API endpoints pulled from Web Application Description Language (WADL) files. WADL files are XML files that contain API definitions for REST APIs. They outline API paths, needed parameters, HTTP methods, supported data formats, etc.

The WADLer allows you to quickly send a single request to each API endpoint from a remote or local WADL file with test data for each defined parameter. This can be helpful for finding endpoints that allow you to interact with them without authentication en-masse.

Installation

Only tested on python 3.12.3.

Use poetry, pipx, or a similar tool to install PacketHuffer:

poetry install

pipx install .

Usage

Always proxy your traffic through burp, so you can understand the requests made, and have a log of any actions taken. Test the script on a local server before running it on the target to make sure you understand what it's doing, and that your proxy works.

Testing from a local WADL file, sleeping 1.5sec between requests, while proxying traffic through burp, without following redirects:

wadler --no-verify-ssl --http-proxy http://127.0.0.1:8080 --https-proxy http://127.0.0.1:8080 -v --sleep 1.5 --no-follow-redirects -o output.json application.wadl

Testing from a remote WADL file, sleeping 1.5sec between requests, while proxying traffic through burp, without following redirects:

wadler --no-verify-ssl --http-proxy http://127.0.0.1:8080 --https-proxy http://127.0.0.1:8080 -v --sleep 1.5 --no-follow-redirects -o output.json https://foo.bar/api/application.wadl

Full help output:

usage: WADLer [-h] [-o OUTPUT] [-v] [--endpoint ENDPOINT] [--method METHOD] [--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY] [--username USERNAME]
               [--password PASSWORD] [--token TOKEN] [--no-follow-redirects] [--sleep SLEEP] [--timeout TIMEOUT] [--no-verify-ssl] [--json] [--form]
               [--user-agent USER_AGENT] [--accept ACCEPT] [-H HEADER]
               wadl_source

WADL API self.parser and Tester

positional arguments:
  wadl_source           Path to WADL file or URL

options:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        Output file for results (JSON)
  -v, --verbose         Verbose output

Filtering Options:
  --endpoint ENDPOINT   Only test endpoints containing this string (comma-separated for multiple)
  --method METHOD       Only test these HTTP methods (comma-separated, e.g. GET,POST)

Proxy Configuration:
  Proxying will be enabled if one or more proxy URLs are supplied.

  --http-proxy HTTP_PROXY
                        HTTP proxy URL (e.g., http://proxy:8080)
  --https-proxy HTTPS_PROXY
                        HTTPS proxy URL (e.g., http://proxy:8080)

Authentication:
  Basic authentication will be selected if a username and password is provided. Bearer token authentication will be selected in a token is provided.

  --username USERNAME   Username for Basic authentication
  --password PASSWORD   Password for Basic authentication
  --token TOKEN         Token for Bearer authentication

Request Configuration:
  --no-follow-redirects
                        Don't follow redirects
  --sleep SLEEP         Time to wait between requests in seconds
  --timeout TIMEOUT     Request timeout in seconds
  --no-verify-ssl, -k   Disable SSL certificate verification
  --json                Send request body as JSON
  --form                Send request body as form data
  --user-agent USER_AGENT
                        User-Agent header
  --accept ACCEPT       Accept header
  -H HEADER, --header HEADER
                        Additional headers (Key: Value)

Dealing with the Output

The WADLer will print a report to the CLI, but also has options for JSON output.

Example JSON output:

[
  {
    "method": "GET",
    "url": "http://localhost:8000/users",
    "status_code": 200,
    "reason": "OK",
    "response_time": 0.006547,
    "response_size": 48,
    "response_body": {
      "message": "Fetched users",
      "filter": "test_role"
    }
  },
  {
    "method": "POST",
    "url": "http://localhost:8000/users",
    "status_code": 200,
    "reason": "OK",
    "response_time": 0.004864,
    "response_size": 54,
    "response_body": {
      "message": "User created",
      "user": {
        "body": "test_body"
      }
    }
  },
  {
    "method": "PUT",
    "url": "http://localhost:8000/users/123",
    "status_code": 200,
    "reason": "OK",
    "response_time": 0.003647,
    "response_size": 66,
    "response_body": {
      "message": "User updated",
      "id": 123,
      "updated": {
        "body": "test_body"
      }
    }
  },
]

A quick jq command to parse out API endpoints with valid responses:

# Pull out full info
jq '[.[] | select(.status_code == 200).url]' output.json


# Pull out URLs only
jq '[.[] | select(.status_code == 200).url]' output.json

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wadler-0.1.0.tar.gz (10.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

wadler-0.1.0-py3-none-any.whl (11.5 kB view details)

Uploaded Python 3

File details

Details for the file wadler-0.1.0.tar.gz.

File metadata

  • Download URL: wadler-0.1.0.tar.gz
  • Upload date:
  • Size: 10.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for wadler-0.1.0.tar.gz
Algorithm Hash digest
SHA256 4dee47f9ad22e9bbccec79cb4f1e8e720a44086f520831c43d4626708a385485
MD5 d03dab309ad436b4d81e67fbc7036dbf
BLAKE2b-256 34b9cd615b69d4b1dbd8a42ca2a3b7048cc95d0ea740a9bdc5cb0783a4e2aa50

See more details on using hashes here.

Provenance

The following attestation bundles were made for wadler-0.1.0.tar.gz:

Publisher: pypi-publish.yaml on SecurityRiskAdvisors/WADLer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file wadler-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: wadler-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 11.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for wadler-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4c34ce06afe0a0220c7b8be2660bdff253f158c5fe03ed1e06ab54c79a857998
MD5 1b2a6fa61372149407e76a74a85fc614
BLAKE2b-256 b881d70f69156de9b2f55b6d24952a5b99ae539ef4be3ba9a635c3b3622f4efe

See more details on using hashes here.

Provenance

The following attestation bundles were made for wadler-0.1.0-py3-none-any.whl:

Publisher: pypi-publish.yaml on SecurityRiskAdvisors/WADLer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page