Penetration testing web services
Web Services are designed to support interoperability between machine-to-machine communications and frequently have interfaces described in a machine-process able format (specifically Web Services Description Language, known by the acronym WSDL ).
Systems interact with the Web service in a manner prescribed by its WSDL configuration using SOAP messages. These SOAP messages are typically transmitted using HTTP or HTTPS with an XML serialization format. Web Services have grown massively over recent years. Amazon EC2, Microsoft Azure, and Paypal all use SOAP based Web services, and with the increase in mobile apps, so this trend is likely to continue.
The Web Services testing is made through manipulation of parameters identified in WSDL configuration files. These files provide a roadmap of the types of SOAP requests that a Web Service is configured to respond to. Web Services can still be susceptible to
SQL injection
LDAP injection
OS commands injection
XPATH injection,
Blind Injection,
Buffer overflows.
XML based resources re frequently configured without any form of access control. As a consequence, if a web service allows user input to be included in an query, then it becomes a strong target for an injection based attack. Due to the fact that many Web Services provide critical business functions, this makes them a strong target for Internet attackers.
Web Services can also be attacked outside of the WSDL configuration file. It is possible to conduct:
authentication based attacks,
XML structural attacks,
XML content-level attacks,
HTTP GET parameter/REST attacks
SOAP attachment attacks.
All of these attack vectors can allow an attacker to gain access to privileged data and even gain root/administrator access to underlying resources.
The Web Service testing scope include Apache Axis/Azis2, Zend, Microsoft WCF and Silverlight and BPEL services, WCF, REST, SOAP over HTTP, SOAP over TCP and SOAP over MQ.
Ken Johnson wrote a nice guide for Web Services Pen tests (http://resources.infosecinstitute.com/soap-attack-1/)
Metasploit has a good built-in scanner for SOAP
http://www.metasploit.com/modules/auxiliary/scanner/http/soap_xml
Other good recent theory
or http://spl0it.org/files/talks/bh_dc11/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_Slides.pdf
Systems interact with the Web service in a manner prescribed by its WSDL configuration using SOAP messages. These SOAP messages are typically transmitted using HTTP or HTTPS with an XML serialization format. Web Services have grown massively over recent years. Amazon EC2, Microsoft Azure, and Paypal all use SOAP based Web services, and with the increase in mobile apps, so this trend is likely to continue.
The Web Services testing is made through manipulation of parameters identified in WSDL configuration files. These files provide a roadmap of the types of SOAP requests that a Web Service is configured to respond to. Web Services can still be susceptible to
SQL injection
LDAP injection
OS commands injection
XPATH injection,
Blind Injection,
Buffer overflows.
XML based resources re frequently configured without any form of access control. As a consequence, if a web service allows user input to be included in an query, then it becomes a strong target for an injection based attack. Due to the fact that many Web Services provide critical business functions, this makes them a strong target for Internet attackers.
Web Services can also be attacked outside of the WSDL configuration file. It is possible to conduct:
authentication based attacks,
XML structural attacks,
XML content-level attacks,
HTTP GET parameter/REST attacks
SOAP attachment attacks.
All of these attack vectors can allow an attacker to gain access to privileged data and even gain root/administrator access to underlying resources.
The Web Service testing scope include Apache Axis/Azis2, Zend, Microsoft WCF and Silverlight and BPEL services, WCF, REST, SOAP over HTTP, SOAP over TCP and SOAP over MQ.
Ken Johnson wrote a nice guide for Web Services Pen tests (http://resources.infosecinstitute.com/soap-attack-1/)
Metasploit has a good built-in scanner for SOAP
http://www.metasploit.com/modules/auxiliary/scanner/http/soap_xml
Other good recent theory
or http://spl0it.org/files/talks/bh_dc11/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_Slides.pdf