Hello everyone,
I need to web service pentest tools.
Your recommended tools send to me?
Regards.
You should try SoapUI. There's a free and paid version. You get pretty much
the same functionality, but the paid version is a bit easier to use and
more automation.
/thomas
27. jan. 2014 23:53 skrev "Kayhan KAYIHAN" kayhan@kayhankayihan.com
følgende:
Hello everyone,
I need to web service pentest tools.
Your recommended tools send to me?
Regards.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_
lists.webappsec.org
You could also intercept SoapUI requests with Burp or use the WSDLer
extension for Burp...
http://www.burpextensions.com/extensions/type/serialization/wsdler/
Or if you want to code your own tool in Python, this presentation should
help:
http://www.gdssecurity.com/l/constricting_the_web_final.pdf
On Jan 28, 2014 1:01 AM, "Thomas Methlie" mrtompa@gmail.com wrote:
You should try SoapUI. There's a free and paid version. You get pretty
much the same functionality, but the paid version is a bit easier to use
and more automation.
følgende:
Hello everyone,
I need to web service pentest tools.
Your recommended tools send to me?
Regards.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
While WSDL tools are extremely useful for routine WS testing you can find very serious issues by drilling a bit deeper into what the web service actually does. Testing with tools might only scrape the SOAP envelope, but not really touch the real business data that is being sent inside.
If the service uses any kind of XML signature or encryption, have a look at these attacks:
http://ipsec.pl/kryptografia/2013/secure-saml-validation-prevent-xml-signature-wrapping-attacks.html
and there’s tool by Juraj Somorovsky called WS-Attacker that helps with testing for them:
http://sourceforge.net/p/ws-attacker/news/2013/06/ws-attacker-13-released/
On 28 Jan 2014, at 14:37, Corey LeBleu coreylebleu@gmail.com wrote:
You could also intercept SoapUI requests with Burp or use the WSDLer extension for Burp...
http://www.burpextensions.com/extensions/type/serialization/wsdler/
Or if you want to code your own tool in Python, this presentation should help:
http://www.gdssecurity.com/l/constricting_the_web_final.pdf
On Jan 28, 2014 1:01 AM, "Thomas Methlie" mrtompa@gmail.com wrote:
You should try SoapUI. There's a free and paid version. You get pretty much the same functionality, but the paid version is a bit easier to use and more automation.
/thomas
Hello everyone,
I need to web service pentest tools.
Your recommended tools send to me?
Regards.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Pawel Krawczyk
pawel.krawczyk@hush.com +44 7462 166716
CISSP, OWASP