[WEB SECURITY] Need a vulnerable XML Web Service

Ory Segal SEGALORY at il.ibm.com
Fri Jun 4 07:15:40 EDT 2010 

I'll send you a personal email with the details, this list should stay 
"vendor free" as much as possible

-Ory
-------------------------------------------------------------
Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory at il.ibm.com 




From:   Nilesh Bhosale <nilesh at gslab.com>
To:     Ory Segal/Haifa/IBM at IBMIL
Cc:     websecurity at webappsec.org
Date:   04-06-2010 01:22 PM
Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service



Hi All,

Thanks for the information.

Does Rational AppScan have capability to do an automated xml based (soap) 
web service security scan?
What all type of vulnerabilities it can find?

Thanks,
Nilesh

On Friday 04 June 2010 03:41 PM, Ory Segal wrote: 
AFAIK, You have two options, one is a product that my company sells - 
[ALERT!!! - propaganda, if you don't want to read, skip to part (B)] 

(A) Luckily for me, [sorry about the shameless propaganda] I am using IBM 
Rational AppScan, which comes with a SOAP tool called GSC (Generic SOAP 
Client). GSC supports WS-Security 1.1, SOAP attachments, WS-Addressing, 
certificates, etc. 

In addition, AppScan itself is capable of testing SOAP messages.  
http://www-01.ibm.com/software/awdtools/appscan/ 


(B) As far as I know, the only other tool that is capable of using 
WS-Security and other WS-* is SOAPUI ( http://www.soapui.org/ ), but it 
doesn't have the same security testing capabilities as AppScan 

-Ory 

-------------------------------------------------------------
Ory Segal
Security Products Architect 
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory at il.ibm.com 




From:        "Tom Stripling" <tstripling at appsecconsulting.com> 
To:        Ory Segal/Haifa/IBM at IBMIL, "'7Lyrix'" <7lyrix at gmail.com>, 
<websecurity at webappsec.org> 
Cc:        "'Nilesh Bhosale'" <nilesh at gslab.com> 
Date:        04-06-2010 01:02 AM 
Subject:        RE: [WEB SECURITY] Need a vulnerable XML Web Service 



Along that vein, most penetration testing tools I?ve used are awful at 
constructing WS-Security headers for manual testing.  Excluding 
high-dollar automated scanners (I?m not trying to start a vendor war 
here), what tools do you all use for testing web services when 
WS-Security, SAML, etc. are being used?  I have yet to find a free or 
cheap tool that allows me to test these effectively.  I sometimes have to 
resort to building a testing client myself just so I can interact with the 
web service manually. 
  
  
From: Ory Segal [mailto:SEGALORY at il.ibm.com] 
Sent: Thursday, June 03, 2010 1:39 PM
To: 7Lyrix; websecurity at webappsec.org
Cc: Nilesh Bhosale
Subject: Re: [WEB SECURITY] Need a vulnerable XML Web Service 
  
Has anyone noticed how all these "theoretical / tutorial" Web Services, 
never use any WS-Security? 

a) Real world SOAP web services, in real SOA environments, usually come 
with plenty of WS-Security 

b) There are plenty of things that can go wrong when implementing 
WS-Security, yet most security experts and most demo web sites, tend to 
talk about SQL-Injection over SOAP. I've seen some External entities here 
and there, but that's as deep as it goes most times. 

-Ory 

-------------------------------------------------------------
Ory Segal
Security Products Architect 
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359 




From:        7Lyrix <7lyrix at gmail.com> 
To:        Nilesh Bhosale <nilesh at gslab.com> 
Cc:        websecurity at webappsec.org 
Date:        03-06-2010 09:17 PM 
Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service 






A few.
See:
http://www.yehg.net/lab/pr0js/training/webgoat.php#Web_Services


On Thu, Jun 3, 2010 at 3:17 PM, Nilesh Bhosale <nilesh at gslab.com> wrote:
> Thanks for all the responses.
>
> Does Webgoat has a vulnerable XML Webservice?
>
> Thanks,
> Nilesh
>
> On Thursday 03 June 2010 11:36 AM, 7Lyrix wrote:
>
> Try webgoat:
> http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>
> Ivan Buetler, thank you for http://www.hacking-lab.com. It's very great.
>
> On Wed, Jun 2, 2010 at 3:23 PM, Nilesh Bhosale <nilesh at gslab.com> wrote:
>
>
> I need a vulnerable Web Service which I can use to try out and learn 
some of
> the XML web service attacks.
>
> Thanks,
> Nilesh
>
> 
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS 
Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/ba12979c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/ba12979c/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/ba12979c/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/ba12979c/attachment-0002.gif>

More information about the websecurity mailing list