Tuesday, February 10, 2009

Web Services Security testing

Last week  i had to perform a penetration test on a Web Services environment and during the project i found the following interesting documents:

SIFT  - Web Services Security Testing Framework  V1  - by SIFT  Link

This document is a great resource.

Web Services Security  - by Bilal Saddiqui Link

Exploring Web Services Encryption - by Bilal Saddiqui   Link

More on Web Services Encryption - by Schmoil Link

Seguridad en Servicios Web (Spanish) - by Oscar Gonzales Link

About the tools, i had some trouble with the usual hacking tools, we didn't had UDDI or JUDDI, so we had to hack the application server (Jboss) and then access the Web services admin panel, to get the WSDL.

With the WDSL i proceed to perform some bruteforce attacks with WebSlayer to find a valid username and password for the WS-Security (client authentication).

The other tool that i used was Appscan, Web Services Power tools that allowed me to get the descriptions, and perform request, but i didn't liked the way it handle the raw request...

Another interesting tools is the SOAPUI, the web services testing tool, it's very complete and i'm still learning on how to use it....

Also we used WSFuzzer from OWASP. Here is a video on how to use it


Any other interesting tools or document?


No comments:

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...