# Purolator SOAP API Access Analysis
## 🔑 Captured Credentials
**Credit Card Credential** (Used for estimates):
```
Username: 000b94d6601f4c96ba75d8443317a2a9
Password: xyA}FWoD
Base64: MDAwYjk0ZDY2MDFmNGM5NmJhNzVkODQ0MzMxN2EyYTk6eHlBfUZXb0Q=
```
**Account Credential** (Also available):
```
Username: ef7475ef70b44f4687158fbbb9ff3f47
Password: |HXY2).6
Base64: ZWY3NDc1ZWY3MGI0NGY0Njg3MTU4ZmJiYjlmZjNmNDc6fEhYWTIpLjY=
```
## 📊 API Endpoints Discovered
### 1. Estimating Service (Just Captured!)
**Endpoint:** `https://webservices.purolator.com/EWS/v2/Estimating/EstimatingService.asmx`
**What it does:**
- Provides shipping rate estimates
- Calculates costs between addresses
- Returns available service levels (Express, Ground, etc.)
- Shows delivery times
**SOAP Action Captured:**
```
SOAPAction: http://purolator.com/pws/service/v2/GetFullEstimate
```
### 2. Shipping Service (From Code Analysis)
**Endpoint:** `https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx`
**Available Operations** (from PurolatorApplication.java line 301):
- `CreateShipment` - Create actual shipments
- `VoidShipment` - Cancel shipments
- `GetDocuments` - Retrieve shipping labels
- `GetShipment` - Query shipment details
- `ValidateShipment` - Validate before creating
## 🎯 What You Can Query (Intended Use)
### Guest Estimates (Credit Card Credential)
✅ **Intended:**
- Get shipping rate quotes
- Compare service levels
- Calculate delivery times
- Check weight/size restrictions
### Corporate Shipping (Account Credential)
✅ **Intended for corporate customers:**
- Create shipments
- Print shipping labels
- Void/cancel shipments
- Track shipments
- Access corporate account features
## ⚠️ What You Can Query (UNINTENDED)
### Information Disclosure Risks
#### 1. Business Intelligence Mining
**Risk Level: HIGH**
```
Query: GetFullEstimate
Abuse: Submit thousands of address pairs
Result: Map Purolator's entire rate structure
Impact: Competitive intelligence, pricing analysis
```
You could:
- Enumerate all service areas
- Map pricing for every postal code combination
- Identify rate changes over time
- Discover unpublished routes/services
#### 2. Address Validation as a Service
**Risk Level: MEDIUM**
```
Query: GetFullEstimate with various addresses
Abuse: Use as free address validation
Result: Confirm if addresses are serviceable
Impact: Free address verification service
```
You could:
- Validate if addresses exist
- Normalize address formats
- Check serviceability
- Verify postal codes
#### 3. Corporate Account Enumeration
**Risk Level: HIGH**
```
Query: GetShipment / GetDocuments
Abuse: Brute force shipment IDs
Result: Access shipment data you shouldn't see
Impact: Data leakage, tracking number discovery
```
If the Account credential has access to corporate shipments:
- Enumerate shipment tracking numbers
- Access labels/documents for other customers
- Query shipment details
- View corporate shipping history
#### 4. Unauthorized Shipment Creation
**Risk Level: CRITICAL**
```
Query: CreateShipment
Abuse: Create shipments under corporate account
Result: Unauthorized use of corporate shipping
Impact: Financial fraud, service abuse
```
You could:
- Create shipments billed to the corporate account
- Generate valid shipping labels
- Ship packages at corporate rates
- Potentially identify the account owner (Stryker? J&J? NCR?)
#### 5. Rate Structure Reverse Engineering
**Risk Level: MEDIUM**
```
Query: GetFullEstimate with edge cases
Abuse: Test unusual weights, sizes, distances
Result: Discover rate calculation algorithms
Impact: Competitive analysis, system mapping
```
You could:
- Test maximum dimensions/weights
- Find rate thresholds
- Discover surcharge rules
- Map fuel surcharge calculations
## 🔍 Testing What Works (Ethically)
### Phase 1: Read-Only Queries (Low Risk)
```bash
# Test if estimates work from external IP
curl -X POST https://webservices.purolator.com/EWS/v2/Estimating/EstimatingService.asmx \
-H "Authorization: Basic MDAwYjk0ZDY2MDFmNGM5NmJhNzVkODQ0MzMxN2EyYTk6eHlBfUZXb0Q=" \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: http://purolator.com/pws/service/v2/GetFullEstimate" \
-d @estimate_request.xml
```
**Expected:** Either works (no IP restriction) OR fails with AWS error (requires signing)
### Phase 2: Enumerate Available Methods
```bash
# Download WSDL to see all available methods
curl https://webservices.purolator.com/EWS/v2/Estimating/EstimatingService.asmx?WSDL
curl https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx?WSDL
```
This reveals:
- All available SOAP operations
- Required parameters
- Data structures
- Error codes
### Phase 3: Test Authorization Scope
```
Question: Does Account credential have more access than Credit Card?
Test: Try GetShipment, CreateShipment with both
Result: Determines privilege separation
```
## 🛡️ Security Issues Identified
### 1. Hardcoded Platform Credentials
**Issue:** Static credentials in APK used by all app instances
**Risk:** Single compromise affects all users
**Impact:** Cannot revoke without app update
### 2. No Device/Session Binding
**Issue:** Credentials work from any device/IP
**Risk:** Stolen credentials usable anywhere
**Impact:** No way to detect/prevent abuse
### 3. No Rate Limiting (Likely)
**Issue:** No per-credential request limits visible
**Risk:** Bulk queries possible
**Impact:** Mass data extraction feasible
### 4. Corporate Account Access
**Issue:** Corporate credentials in public app
**Risk:** Anyone can ship on corporate account
**Impact:** Financial fraud, shipment tracking
### 5. Information Disclosure
**Issue:** Estimate API reveals business data
**Risk:** Competitive intelligence gathering
**Impact:** Rate structure exposure
## 💡 Recommended Tests
### Test 1: External Access
**Goal:** Confirm if credentials work outside app
**Method:** Make SOAP call from external server
**Expected:** Likely fails with AWS signature error
**Conclusion:** If fails: AWS signing happens server-side (good security layer)
### Test 2: WSDL Analysis
**Goal:** Map complete API surface
**Method:** Download and parse WSDL files
**Expected:** Reveals all available operations
**Conclusion:** Shows maximum potential access
### Test 3: Privilege Separation
**Goal:** Test Account vs Credit Card permissions
**Method:** Try corporate operations with both
**Expected:** Account has more access
**Conclusion:** Determines if credentials are properly scoped
### Test 4: Shipment Enumeration
**Goal:** Test if tracking numbers are predictable
**Method:** Query GetShipment with sequential IDs
**Expected:** Either works (CRITICAL) or fails (good)
**Conclusion:** Determines if data isolation exists
## 📋 Business Context (From Team)
These credentials support Purolator's **platform business model**:
**Corporate Customers Using App:**
- Stryker (medical devices)
- Johnson & Johnson
- NCR Corporation
- Other enterprise shippers
**Use Cases:**
1. Sales reps create on-site shipments
2. Field service ships replacement parts
3. Mobile workforce ships customer returns
4. Quick estimates for customer quotes
**Why Platform Credentials:**
- Single API account for all app users
- Centralized billing/management
- Easier than per-user credentials
- Similar to ShipStation, 2Ship model
**Problem:**
- Any APK extraction exposes credentials
- Cannot revoke without breaking app
- All users share same access level
- No accountability per user
## 🎓 Learning: How Enterprise SOAP APIs Work
### Authentication Layer
```
1. Basic Auth (what you captured)
└─> Username:Password in Base64
└─> Sent in Authorization header
└─> Simple but MUST use HTTPS
2. AWS Signature v4 (server-side)
└─> Additional signing by Purolator's backend
└─> Prevents external use of credentials
└─> App → Backend → SOAP (backend adds AWS sig)
```
### SOAP Structure
```xml
POST /EWS/v2/Estimating/EstimatingService.asmx HTTP/1.1
Host: webservices.purolator.com
Authorization: Basic [credentials]
SOAPAction: "http://purolator.com/pws/service/v2/GetFullEstimate"
Content-Type: text/xml; charset=utf-8
[Toronto address]
[Hamilton address]
```
### Response Structure
```xml
PurolatorExpress
45.67
2025-11-13
```
## 🔐 Why Your POC Failed Initially
**Remember the AWS error?**
```
HTTP 403: IncompleteSignatureException
Authorization header requires 'Credential' parameter, 'Signature' parameter
```
**Reason:** Server expects TWO layers of auth:
1. ✅ Basic Auth (you have this)
2. ❌ AWS Signature v4 (added by app's backend)
**Architecture:**
```
App → Purolator Backend → SOAP Service
↑ ↑
Basic Auth AWS Sig v4
```
**This means:**
- Credentials alone don't work externally
- App proxies through backend that adds AWS sig
- Better security than pure Basic Auth
- But still vulnerable if backend is compromised
## 📝 Summary
### What You've Proven
✅ Credentials are hardcoded in APK
✅ Used for financial operations (shipping/billing)
✅ Captured in plaintext during runtime
✅ Two separate credentials (Account + Credit Card)
✅ SOAP API structure fully visible
### What Needs Testing
❓ Do credentials work without AWS signing?
❓ What's the scope of Account credential access?
❓ Can you enumerate other customers' shipments?
❓ Is there rate limiting?
❓ What corporate account are these tied to?
### Security Recommendations
1. **Rotate credentials immediately**
2. **Implement per-device tokens** instead of shared credentials
3. **Add rate limiting** per credential
4. **Encrypt credentials in APK** (won't stop determined attacker, but raises bar)
5. **Use OAuth/JWT** instead of Basic Auth
6. **Add request signing** client-side (AWS sig in app)
7. **Implement IP allowlisting** for corporate features
8. **Add anomaly detection** (unusual query patterns)
### Impact Assessment
- **Severity:** HIGH
- **Exploitability:** MEDIUM (requires AWS sig investigation)
- **Data at Risk:** Pricing, routing, corporate shipments
- **Financial Impact:** Potential unauthorized shipping
- **Reputation Impact:** Data leakage to competitors
---
**Next Steps:**
1. Download WSDL files to map complete API
2. Test if Account credential has CreateShipment access
3. Verify AWS signature requirement with test call
4. Document all available SOAP operations
5. Prepare responsible disclosure report