[WEB SECURITY] Need a vulnerable XML Web Service

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Fri Jun 4 14:31:59 EDT 2010


AppScan does a great job, I'm sure. Recently, though, I've had success
using SoapUI (free version) for testing complex, WS-Security-protected
endpoints. It's got Groovy scripting capability that I've used to turn a
few man days of scripting into good, automated, repeatable
authentication/authorization tests for a whole suite of Web Services.
Assertions are a big part of their framework and they make the tests
easy to write. Naturally, injection testing is a little different.

 

Sure, you could hook it up to a fuzz database pretty easily to launch
injection attacks along the same line. Unfortunately, verifying the
results of those tests is something at which AppScan will (probably) be
much better. Can't say Web Service injection testing has every been very
fruitful for me, though. Karaoke-quality assessors will look for simple
input reflected in output, but that is meaningless 99% of the time,
since the response data is usually serialized reliably and not hand
built, and couldn't be exploited even if it was. SQL injection is pretty
much the only hope you have for meaningful results at the time of the
test.

 

Assessments are usually scoped in such a way that the app that consumes
your Web Service input is not being tested at the same time as the Web
Service itself. So, your opportunity to observe evidence of a successful
attack is slim. Said attacks are probably way downstream but probably
have a better than average chance at success, if I had to guess.

 

Arshan

 

From: Ory Segal [mailto:SEGALORY at il.ibm.com] 
Sent: Friday, June 04, 2010 6:11 AM
To: Tom Stripling
Cc: '7Lyrix'; 'Nilesh Bhosale'; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Need a vulnerable XML Web Service

 

AFAIK, You have two options, one is a product that my company sells -
[ALERT!!! - propaganda, if you don't want to read, skip to part (B)] 

(A) Luckily for me, [sorry about the shameless propaganda] I am using
IBM Rational AppScan, which comes with a SOAP tool called GSC (Generic
SOAP Client). GSC supports WS-Security 1.1, SOAP attachments,
WS-Addressing, certificates, etc. 

In addition, AppScan itself is capable of testing SOAP messages.  
http://www-01.ibm.com/software/awdtools/appscan/
<http://www-01.ibm.com/software/awdtools/appscan/>  


(B) As far as I know, the only other tool that is capable of using
WS-Security and other WS-* is SOAPUI ( http://www.soapui.org/
<http://www.soapui.org/>  ), but it doesn't have the same security
testing capabilities as AppScan 

-Ory 

-------------------------------------------------------------
Ory Segal
Security Products Architect 
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory at il.ibm.com <mailto:segalory at il.ibm.com>  
 



From:        "Tom Stripling" <tstripling at appsecconsulting.com> 
To:        Ory Segal/Haifa/IBM at IBMIL, "'7Lyrix'" <7lyrix at gmail.com>,
<websecurity at webappsec.org> 
Cc:        "'Nilesh Bhosale'" <nilesh at gslab.com> 
Date:        04-06-2010 01:02 AM 
Subject:        RE: [WEB SECURITY] Need a vulnerable XML Web Service 

________________________________




Along that vein, most penetration testing tools I've used are awful at
constructing WS-Security headers for manual testing.  Excluding
high-dollar automated scanners (I'm not trying to start a vendor war
here), what tools do you all use for testing web services when
WS-Security, SAML, etc. are being used?  I have yet to find a free or
cheap tool that allows me to test these effectively.  I sometimes have
to resort to building a testing client myself just so I can interact
with the web service manually. 
  
  
From: Ory Segal [mailto:SEGALORY at il.ibm.com <mailto:SEGALORY at il.ibm.com>
] 
Sent: Thursday, June 03, 2010 1:39 PM
To: 7Lyrix; websecurity at webappsec.org
Cc: Nilesh Bhosale
Subject: Re: [WEB SECURITY] Need a vulnerable XML Web Service 
  
Has anyone noticed how all these "theoretical / tutorial" Web Services,
never use any WS-Security? 

a) Real world SOAP web services, in real SOA environments, usually come
with plenty of WS-Security 

b) There are plenty of things that can go wrong when implementing
WS-Security, yet most security experts and most demo web sites, tend to
talk about SQL-Injection over SOAP. I've seen some External entities
here and there, but that's as deep as it goes most times. 

-Ory 

-------------------------------------------------------------
Ory Segal
Security Products Architect 
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359 




From:        7Lyrix <7lyrix at gmail.com> 
To:        Nilesh Bhosale <nilesh at gslab.com> 
Cc:        websecurity at webappsec.org 
Date:        03-06-2010 09:17 PM 
Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service 

 

________________________________





A few.
See:
http://www.yehg.net/lab/pr0js/training/webgoat.php#Web_Services
<http://www.yehg.net/lab/pr0js/training/webgoat.php#Web_Services> 


On Thu, Jun 3, 2010 at 3:17 PM, Nilesh Bhosale <nilesh at gslab.com> wrote:
> Thanks for all the responses.
>
> Does Webgoat has a vulnerable XML Webservice?
>
> Thanks,
> Nilesh
>
> On Thursday 03 June 2010 11:36 AM, 7Lyrix wrote:
>
> Try webgoat:
> http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
<http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project> 
>
> Ivan Buetler, thank you for http://www.hacking-lab.com
<http://www.hacking-lab.com/> . It's very great.
>
> On Wed, Jun 2, 2010 at 3:23 PM, Nilesh Bhosale <nilesh at gslab.com>
wrote:
>
>
> I need a vulnerable Web Service which I can use to try out and learn
some of
> the XML web service attacks.
>
> Thanks,
> Nilesh
>
>
------------------------------------------------------------------------
----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
<http://www.webappsec.org/lists/websecurity/archive/> 
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss
<http://www.webappsec.org/rss/websecurity.rss>  [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
<http://www.linkedin.com/e/gis/83336/4B20E4374DBA> 
>
>
>
>
>
>

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
<http://www.webappsec.org/lists/websecurity/archive/> 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss
<http://www.webappsec.org/rss/websecurity.rss>  [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
<http://www.linkedin.com/e/gis/83336/4B20E4374DBA> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/b23286b4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2359 bytes
Desc: image001.gif
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100604/b23286b4/attachment.gif>


More information about the websecurity mailing list