Last week i had to perform a penetration test on a Web Services environment and during the project i found the following interesting documents:
SIFT - Web Services Security Testing Framework V1 - by SIFT Link
This document is a great resource.
Web Services Security - by Bilal Saddiqui Link
Exploring Web Services Encryption - by Bilal Saddiqui Link
More on Web Services Encryption - by Schmoil Link
Seguridad en Servicios Web (Spanish) - by Oscar Gonzales Link
About the tools, i had some trouble with the usual hacking tools, we didn't had UDDI or JUDDI, so we had to hack the application server (Jboss) and then access the Web services admin panel, to get the WSDL.
With the WDSL i proceed to perform some bruteforce attacks with WebSlayer to find a valid username and password for the WS-Security (client authentication).
The other tool that i used was Appscan, Web Services Power tools that allowed me to get the descriptions, and perform request, but i didn't liked the way it handle the raw request...
Another interesting tools is the SOAPUI, the web services testing tool, it's very complete and i'm still learning on how to use it....
UPDATE:
Any other interesting tools or document?
-CMM
3 comentarios:
Yah, this:
http://www.tssci-security.com/archives/2008/12/14/writing-a-web-services-fuzzer-in-5-minutes-to-sql-injection/
Thanks Marcin, i had problems with WsFuzzer too, i will talk with Andreu to check if he have an updated version. Thanks for your link :)
hi
i just started with wsfuzzer and i have a problem
could someone help me
python WSFuzzer.py -h 127.0.0.1
File "stdin", line1
python WSFuzzer.py -h 127.0.0.1
^
SyntaxError: invalid syntax
>>>
Post a Comment