[WEB SECURITY] Need a vulnerable XML Web Service

Neaves, Tom tom.neaves at uk.verizonbusiness.com
Fri Jun 4 09:42:27 EDT 2010


Hi.
 
I thought I'd offer my two pennies on this.  I usually use SoapUI to
construct valid messages and use Burp as a proxy for it... I then
intercept the badboy and send to intruder/repeater for testing.
 
Cheers,
Tom

________________________________

From: Tom Stripling [mailto:tstripling at appsecconsulting.com] 
Sent: 03 June 2010 21:43
To: 'Ory Segal'; '7Lyrix'; websecurity at webappsec.org
Cc: 'Nilesh Bhosale'
Subject: RE: [WEB SECURITY] Need a vulnerable XML Web Service



Along that vein, most penetration testing tools I've used are awful at
constructing WS-Security headers for manual testing.  Excluding
high-dollar automated scanners (I'm not trying to start a vendor war
here), what tools do you all use for testing web services when
WS-Security, SAML, etc. are being used?  I have yet to find a free or
cheap tool that allows me to test these effectively.  I sometimes have
to resort to building a testing client myself just so I can interact
with the web service manually.

 

 

From: Ory Segal [mailto:SEGALORY at il.ibm.com] 
Sent: Thursday, June 03, 2010 1:39 PM
To: 7Lyrix; websecurity at webappsec.org
Cc: Nilesh Bhosale
Subject: Re: [WEB SECURITY] Need a vulnerable XML Web Service

 

Has anyone noticed how all these "theoretical / tutorial" Web Services,
never use any WS-Security? 

a) Real world SOAP web services, in real SOA environments, usually come
with plenty of WS-Security 

b) There are plenty of things that can go wrong when implementing
WS-Security, yet most security experts and most demo web sites, tend to
talk about SQL-Injection over SOAP. I've seen some External entities
here and there, but that's as deep as it goes most times. 

-Ory 

-------------------------------------------------------------
Ory Segal
Security Products Architect 
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359 
 



From:        7Lyrix <7lyrix at gmail.com> 
To:        Nilesh Bhosale <nilesh at gslab.com> 
Cc:        websecurity at webappsec.org 
Date:        03-06-2010 09:17 PM 
Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service 

________________________________




A few.
See:
http://www.yehg.net/lab/pr0js/training/webgoat.php#Web_Services
<http://www.yehg.net/lab/pr0js/training/webgoat.php#Web_Services> 


On Thu, Jun 3, 2010 at 3:17 PM, Nilesh Bhosale <nilesh at gslab.com> wrote:
> Thanks for all the responses.
>
> Does Webgoat has a vulnerable XML Webservice?
>
> Thanks,
> Nilesh
>
> On Thursday 03 June 2010 11:36 AM, 7Lyrix wrote:
>
> Try webgoat:
> http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
<http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project> 
>
> Ivan Buetler, thank you for http://www.hacking-lab.com
<http://www.hacking-lab.com/> . It's very great.
>
> On Wed, Jun 2, 2010 at 3:23 PM, Nilesh Bhosale <nilesh at gslab.com>
wrote:
>
>
> I need a vulnerable Web Service which I can use to try out and learn
some of
> the XML web service attacks.
>
> Thanks,
> Nilesh
>
>
------------------------------------------------------------------------
----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
<http://www.webappsec.org/lists/websecurity/archive/> 
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss
<http://www.webappsec.org/rss/websecurity.rss>  [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
<http://www.linkedin.com/e/gis/83336/4B20E4374DBA> 
>
>
>
>
>
>

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
<http://www.webappsec.org/lists/websecurity/archive/> 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss
<http://www.webappsec.org/rss/websecurity.rss>  [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
<http://www.linkedin.com/e/gis/83336/4B20E4374DBA> 






Verizon UK Limited - registered in England & Wales - registered number 2776038 - registered office at Reading International Business Park, Basingstoke Road, Reading, Berkshire, UK RG2 6DA - VAT number 823 8170 33
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/bbdf6ca9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2359 bytes
Desc: image001.gif
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/bbdf6ca9/attachment.gif>


More information about the websecurity mailing list