Web Services Security testing

Last week  i had to perform a penetration test on a Web Services environment and during the project i found the following interesting documents:

SIFT  - Web Services Security Testing Framework  V1  - by SIFT  Link

This document is a great resource.

Web Services Security  - by Bilal Saddiqui Link

Exploring Web Services Encryption - by Bilal Saddiqui   Link

More on Web Services Encryption - by Schmoil Link

Seguridad en Servicios Web (Spanish) - by Oscar Gonzales Link

About the tools, i had some trouble with the usual hacking tools, we didn't had UDDI or JUDDI, so we had to hack the application server (Jboss) and then access the Web services admin panel, to get the WSDL.

With the WDSL i proceed to perform some bruteforce attacks with WebSlayer to find a valid username and password for the WS-Security (client authentication).

The other tool that i used was Appscan, Web Services Power tools that allowed me to get the descriptions, and perform request, but i didn't liked the way it handle the raw request...

Another interesting tools is the SOAPUI, the web services testing tool, it's very complete and i'm still learning on how to use it....

Also we used WSFuzzer from OWASP. Here is a video on how to use it

UPDATE:


Any other interesting tools or document?

-CMM

3 comentarios:

Marcin said...

Yah, this:

http://www.tssci-security.com/archives/2008/12/14/writing-a-web-services-fuzzer-in-5-minutes-to-sql-injection/

Christian Martorella said...

Thanks Marcin, i had problems with WsFuzzer too, i will talk with Andreu to check if he have an updated version. Thanks for your link :)

Unknown said...

hi
i just started with wsfuzzer and i have a problem
could someone help me

python WSFuzzer.py -h 127.0.0.1
File "stdin", line1
python WSFuzzer.py -h 127.0.0.1
^
SyntaxError: invalid syntax
>>>