[WEB SECURITY] Need a vulnerable XML Web Service

Ory Segal SEGALORY at il.ibm.com
Thu Jun 3 14:38:53 EDT 2010


Has anyone noticed how all these "theoretical / tutorial" Web Services, 
never use any WS-Security? 

a) Real world SOAP web services, in real SOA environments, usually come 
with plenty of WS-Security

b) There are plenty of things that can go wrong when implementing 
WS-Security, yet most security experts and most demo web sites, tend to 
talk about SQL-Injection over SOAP. I've seen some External entities here 
and there, but that's as deep as it goes most times.

-Ory

-------------------------------------------------------------
Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359




From:   7Lyrix <7lyrix at gmail.com>
To:     Nilesh Bhosale <nilesh at gslab.com>
Cc:     websecurity at webappsec.org
Date:   03-06-2010 09:17 PM
Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service



A few.
See:
http://www.yehg.net/lab/pr0js/training/webgoat.php#Web_Services


On Thu, Jun 3, 2010 at 3:17 PM, Nilesh Bhosale <nilesh at gslab.com> wrote:
> Thanks for all the responses.
>
> Does Webgoat has a vulnerable XML Webservice?
>
> Thanks,
> Nilesh
>
> On Thursday 03 June 2010 11:36 AM, 7Lyrix wrote:
>
> Try webgoat:
> http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>
> Ivan Buetler, thank you for http://www.hacking-lab.com. It's very great.
>
> On Wed, Jun 2, 2010 at 3:23 PM, Nilesh Bhosale <nilesh at gslab.com> wrote:
>
>
> I need a vulnerable Web Service which I can use to try out and learn 
some of
> the XML web service attacks.
>
> Thanks,
> Nilesh
>
> 
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS 
Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100603/f31f73e2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100603/f31f73e2/attachment.gif>


More information about the websecurity mailing list