Hello everyone, I need to web service pentest tools. Your recommended tools send to me? Regards.

You should try SoapUI. There's a free and paid version. You get pretty much the same functionality, but the paid version is a bit easier to use and more automation. /thomas 27. jan. 2014 23:53 skrev "Kayhan KAYIHAN" <kayhan@kayhankayihan.com> følgende: > Hello everyone, > > I need to web service pentest tools. > Your recommended tools send to me? > > Regards. > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_ > lists.webappsec.org >

You could also intercept SoapUI requests with Burp or use the WSDLer extension for Burp... http://www.burpextensions.com/extensions/type/serialization/wsdler/ Or if you want to code your own tool in Python, this presentation should help: http://www.gdssecurity.com/l/constricting_the_web_final.pdf On Jan 28, 2014 1:01 AM, "Thomas Methlie" <mrtompa@gmail.com> wrote: > > You should try SoapUI. There's a free and paid version. You get pretty much the same functionality, but the paid version is a bit easier to use and more automation. > > /thomas > > 27. jan. 2014 23:53 skrev "Kayhan KAYIHAN" <kayhan@kayhankayihan.com> følgende: > >> Hello everyone, >> >> I need to web service pentest tools. >> Your recommended tools send to me? >> >> Regards. >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

While WSDL tools are extremely useful for routine WS testing you can find very serious issues by drilling a bit deeper into what the web service actually does. Testing with tools might only scrape the SOAP envelope, but not really touch the real business data that is being sent inside. If the service uses any kind of XML signature or encryption, have a look at these attacks: http://ipsec.pl/kryptografia/2013/secure-saml-validation-prevent-xml-signature-wrapping-attacks.html and there’s tool by Juraj Somorovsky called WS-Attacker that helps with testing for them: http://sourceforge.net/p/ws-attacker/news/2013/06/ws-attacker-13-released/ On 28 Jan 2014, at 14:37, Corey LeBleu <coreylebleu@gmail.com> wrote: > You could also intercept SoapUI requests with Burp or use the WSDLer extension for Burp... > > http://www.burpextensions.com/extensions/type/serialization/wsdler/ > > Or if you want to code your own tool in Python, this presentation should help: > > http://www.gdssecurity.com/l/constricting_the_web_final.pdf > > > > On Jan 28, 2014 1:01 AM, "Thomas Methlie" <mrtompa@gmail.com> wrote: > > > > You should try SoapUI. There's a free and paid version. You get pretty much the same functionality, but the paid version is a bit easier to use and more automation. > > > > /thomas > > > > 27. jan. 2014 23:53 skrev "Kayhan KAYIHAN" <kayhan@kayhankayihan.com> følgende: > > > >> Hello everyone, > >> > >> I need to web service pentest tools. > >> Your recommended tools send to me? > >> > >> Regards. > >> > >> _______________________________________________ > >> The Web Security Mailing List > >> > >> WebSecurity RSS Feed > >> http://www.webappsec.org/rss/websecurity.rss > >> > >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >> > >> WASC on Twitter > >> http://twitter.com/wascupdates > >> > >> websecurity@lists.webappsec.org > >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- Pawel Krawczyk pawel.krawczyk@hush.com +44 7462 166716 CISSP, OWASP