[WEB SECURITY] Web Service Security

Seth Art sethsec at gmail.com
Wed Nov 20 14:44:18 EST 2013


Info Sec,

That is a hard question to answer.  There are different types of Web
Services, each type has multiple implimenations, and each implimetnation
allows for different configuration options.

The security testing is different depending on type, the implimentation,
and the configuration of each web service.

For a high level overview of Web Service Security, I have found the
following document helpful:
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Some tools that you can use to test web services are:

Any web proxy (Burp Suite, Fiddler, ZAP, etc) - For all web services
SoapUI - for SOAP based web services where you have access to the WSDL
Oyedata - For RESTful web services that use OData

Good luck.  Hopefully someone else on the list can provide more
information.

-Seth



On Tue, Nov 19, 2013 at 6:51 AM, Info Sec <infosecm at gmail.com> wrote:

> Hi !,
>
> I'm looking for resources help me to identify web service security issues,
> and how to fix them.
>
> I just found OWASP Web Service Security Cheat Sheet talking about this
> matter.
> I know that web service security issues is very similar to web
> applications, but there is always something you unaware of.
>
>
> OWASP Web Service Security Cheat Sheet:
> https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
>
>
> Regards,
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20131120/1c85b5a1/attachment-0003.html>


More information about the websecurity mailing list