public void ScanVulnerabilities(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
     string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
     bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
 {
     if (vuln.id == 1) // check authentication
     {
         CheckUnAuthenticatedMethod(wsInvoker, operation, vuln, targetNameSpace, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
     }
     else
     {
         CheckVulnsExceptAuth(wsInvoker, operation, vuln, targetNameSpace, wsDesc, WSItemVulnerabilities, reportObject, isDebug, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
     }
 }
        private void CheckUnAuthenticatedMethod(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
            string targetNameSpace, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
            bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
        {
            for (int j = 0; j < operation.Parameters.Count; j++)
            {
                SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
            }

            try
            {
                try
                {
                    reportObject.TotalRequestCount++;
                    wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, null, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
                }
                catch (SoapException soapEx)
                {
                    //throw ex;
                    SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
                }
                catch (Exception ex)
                {
                    throw ex;
                }
            }
            finally { wsInvoker.PosInvoke(); }

            if (!vuln.statusCode.Equals(wsInvoker.StatusCode.ToString())) // status code is not 401, no redirect
            {
                VulnerabilityForReport authVuln = new VulnerabilityForReport();
                authVuln.Vuln = MainForm.vulnerabilities.Vulnerability.Where(v => v.id == 1).FirstOrDefault();
                authVuln.VulnerableMethodName = operation.MethodName;
                authVuln.VulnerableParamName = "";
                authVuln.Payload = "";
                authVuln.Response = wsInvoker.ResultString;
                authVuln.StatusCode = wsInvoker.StatusCode.ToString();

                WSItemVulnerabilities.Vulns.Add(authVuln);

                mainForm.Log("   Auth Vulnerability Found: " + wsInvoker.ResultString + " - status code is : " + wsInvoker.StatusCode.ToString(), FontStyle.Bold, true);
            }
        }
        private void SetVuln(WebServiceToInvoke wsInvoker, WSDescriberForReport WSItemVulnerabilities,
            VulnerabilitiesVulnerability vuln, WSOperation operation, string payload, string paramName, string logStr)
        {
            mainForm.Log(logStr, FontStyle.Bold, true);
            VulnerabilityForReport vulnRep = new VulnerabilityForReport();
            vulnRep.Vuln = vuln;
            vulnRep.VulnerableMethodName = operation.MethodName;
            vulnRep.VulnerableParamName = paramName;
            vulnRep.Payload = payload;
            vulnRep.Response = wsInvoker.ResultString;
            vulnRep.StatusCode = wsInvoker.StatusCode.ToString();

            WSItemVulnerabilities.Vulns.Add(vulnRep);
        }
        private void CheckVulnsExceptAuth(WebServiceToInvoke wsInvoker, WSOperation operation, VulnerabilitiesVulnerability vuln,
           string targetNameSpace, WSDescriber wsDesc, WSDescriberForReport WSItemVulnerabilities, ReportObject reportObject,
            bool isDebug, ref List<Param> respHeader, string customSoapHeaderTags, string customSoapBodyTags)
        {
            int paramIndexToTest = 0;

            for (int i = 0; i < operation.Parameters.Count; i++)
            {
                if (i == paramIndexToTest)
                {
                    foreach (string payload in vuln.request)
                    {
                        bool vulnFoundForParam = false;

                        wsInvoker.AddParameter(operation.Parameters[i].Name, payload.Trim());
                        for (int j = 0; j < operation.Parameters.Count; j++)
                        {
                            if (j != paramIndexToTest)
                            {
                                SetParameterDefaultValue(wsInvoker, operation.Parameters[j], isDebug);
                            }
                        }

                        try
                        {
                            try
                            {
                                reportObject.TotalRequestCount++;
                                wsInvoker.InvokeMethod(operation.MethodName, targetNameSpace, wsDesc, ref respHeader, customSoapHeaderTags, customSoapBodyTags);
                            }
                            catch (SoapException soapEx)
                            {
                                SetSoapFaultException(operation, soapEx, WSItemVulnerabilities, isDebug);
                            }
                            catch (Exception ex)
                            {
                                throw ex;
                            }
                        }
                        finally { wsInvoker.PosInvoke(); }

                        mainForm.Log("   StatusCode: " + wsInvoker.StatusCode, FontStyle.Regular, isDebug);
                        mainForm.Log("   Result: " + wsInvoker.ResultString, FontStyle.Regular, isDebug);

                        if (!string.IsNullOrEmpty(vuln.statusCode))
                        {
                            if (vuln.statusCode.Equals(wsInvoker.StatusCode.ToString()))
                            {
                                if (vuln.response == null || vuln.response.Count() == 0)
                                {
                                    SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, "   " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Status Code: " + vuln.statusCode);
                                    vulnFoundForParam = true;
                                }
                                else
                                {
                                    foreach (string text in vuln.response)
                                    {
                                        if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
                                        {
                                            SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, "   " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text + " - Status Code: " + vuln.statusCode);
                                            vulnFoundForParam = true;
                                            break;
                                        }
                                    }
                                }
                            }
                        }
                        else
                        {
                            foreach (string text in vuln.response)
                            {
                                //if (System.Text.RegularExpressions.Regex.IsMatch(wsInvoker.ResultString.Trim(), text.Trim(), System.Text.RegularExpressions.RegexOptions.IgnoreCase))
                                if (wsInvoker.ResultString.Trim().Contains(text.Trim()))
                                {
                                    // Vulnerability Found
                                    SetVuln(wsInvoker, WSItemVulnerabilities, vuln, operation, payload, operation.Parameters[i].Name, "   " + vuln.title + " Vulnerability Found: " + wsInvoker.ResultString + " - Response Text Contains: " + text);
                                    vulnFoundForParam = true;
                                    break;
                                }
                            }
                        }
                        if (vulnFoundForParam)
                        {
                            break;
                        }
                    }
                }
                paramIndexToTest++;
            }
        }