SOAPAction Spoofing: Extend plugin to work in combination with WS-Addressing

[kmzs]

When attacking a web service that is built with the Metro or Axis2 framework and makes use of WS-Addressing, the SOAPAction Spoofing plugin shows that the service is not vulnerable.
However setting the <wsa:Action>-element in the WS-Addressing header to the same operation like the SOAPAction parameter results in a successful attack.

Web services built with the Metro or Axis2 framework will execute the operation specified in the SOAPAction parameter if the same operation is specified in the <wsa:Action>-element, no matter which operation is called in the <soap:Body>-element.
This is equal to a 3/3 rating from the attack plugin.

Compared to a web service without WS-Addressing the Metro web service got a worse score.

This can be easily reproduced using the sample web services "Metro-1" and "Axis2-1". (Make sure to enable WS-Addressing in the Expert View)