[WEB SECURITY] Re: Vulnerability Scanner for Web Services

Monica Verma mon.ver85 at gmail.com
Mon Feb 1 14:11:11 EST 2010


Hi again,

I read some papers on this topic (http://eden.dei.uc.pt/~mvieira/dsn_ws.pdf,
Fonseca, J., Vieira, M., Madeira, H.,  "Testing and com-
paring web vulnerability scanning tools for SQL injection and XSS attacks",

http://www.webappsec.org/projects/threat/classes_of_attack.shtml, etc) and
found the "obvious" answered ;) . My bad, I didn't check them before.

Thanks.

Best,
Monica

On Mon, Feb 1, 2010 at 12:37 PM, Monica Verma <mon.ver85 at gmail.com> wrote:

> Hi all,
>
> I was reading a White Paper by Blackhat (EU 2007) on various threats and
> vulnerabilities in web services that are somewhat similar to in web
> applications. It talked about WSDL Enumeration, XML Injection, XQuery
> Injection, etc. that are also mentioned in the WASC Threat Classification
> v2.
>
> So if I understand correctly, vulnerability and threat analysis for web
> services takes a similar approach to that of web applications? I also read
> that, say Acunetix for e.g., scans not only for vulnerabilities in Web Apps
> for Windows/Unix/Linux but also "Apache Web Services" and in all "Web Server
> services". I found this statement little confusing. So from what I know "Web
> Server Services" refers to services being hosted by the Web Server (say some
> website) and and are fundamentally different from Web Services (the
> WSDL-SOAP approach). Is that right? If yes, now can one say that a Web
> Vulnerability Scanner not only can look for vulnerabilities in web apps but
> also web services thereby revealing not only possibilities to a SQL
> Injection but also to DTD Entity Reference attack for example?
>
> Secondly, what would be the major implementation, performance and
> effectiveness differences between a Web Vulnerability Scanner and providing
> it as a Saas. if any? Is that only limited to the general issues for any
> Saas in cloud and cloud-implementation or are there any concerns specific to
> web vulnerability scanning being provided as a SaaS?
>
> My apologies in advance in case I am asking something naive/obvious.
>
> Best,
> Monica
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100201/d1e7aa34/attachment.html>


More information about the websecurity mailing list