[WEB SECURITY] WSDL Pentest Tools

Pawel Krawczyk pawel.krawczyk at hush.com
Tue Jan 28 10:02:11 EST 2014


While WSDL tools are extremely useful for routine WS testing you can find very serious issues by drilling a bit deeper into what the web service actually does. Testing with tools might only scrape the SOAP envelope, but not really touch the real business data that is being sent inside.

If the service uses any kind of XML signature or encryption, have a look at these attacks:

http://ipsec.pl/kryptografia/2013/secure-saml-validation-prevent-xml-signature-wrapping-attacks.html

and there’s tool by Juraj Somorovsky called WS-Attacker that helps with testing for them:

http://sourceforge.net/p/ws-attacker/news/2013/06/ws-attacker-13-released/



On 28 Jan 2014, at 14:37, Corey LeBleu <coreylebleu at gmail.com> wrote:

> You could also intercept SoapUI requests with Burp or use the WSDLer extension for Burp...
> 
> http://www.burpextensions.com/extensions/type/serialization/wsdler/
> 
> Or if you want to code your own tool in Python, this presentation should help:
> 
> http://www.gdssecurity.com/l/constricting_the_web_final.pdf
> 
> 
> 
> On Jan 28, 2014 1:01 AM, "Thomas Methlie" <mrtompa at gmail.com> wrote:
> >
> > You should try SoapUI. There's a free and paid version. You get pretty much the same functionality, but the paid version is a bit easier to use and more automation.
> >
> > /thomas
> >
> > 27. jan. 2014 23:53 skrev "Kayhan KAYIHAN" <kayhan at kayhankayihan.com> følgende:
> >
> >> Hello everyone,
> >>
> >> I need to web service pentest tools.
> >> Your recommended tools send to me?
> >>
> >> Regards.
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


-- 
Pawel Krawczyk
pawel.krawczyk at hush.com +44 7462 166716
CISSP, OWASP



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140128/b9d19b59/attachment-0003.html>


More information about the websecurity mailing list