FW: Web Service pentesting
Firstly, I apologize, if this post isn't at the right place.
We are looking for tool wich we can use to vulnerability test of web service.
Best tool which I've found is WSFuzzer (OWASP).
Other:
-
wsScanner (Blueinfy) - support dotNET only (ASMX scheme) -
wsChess - same as wsScanner -
wsDigger (Foundstone) - looks fine, but support only few checks and is not under development since 2005
Have you any suggestion of other tools for this purposes ?
Also some guides/docs for doing pentest on web services will be helpful.
Hi Palko,
I stumbled over this the other day:
http://www.securityaegis.com/web-application-testing-resources/
There is also a lot of tools mentioned on this page, including the most used generally. There's currently no better resource in my humble opinion, that I can recommend at the moment.
Best regards,
MaXe
----- Original meddelelse -----
Firstly, I apologize, if this post isn't at the right place.
We are looking for tool wich we can use to vulnerability test of web
service.
Best tool which I've found is WSFuzzer (OWASP).
Other:
- wsScanner (Blueinfy) - support dotNET only (ASMX scheme)
- wsChess - same as wsScanner
- wsDigger (Foundstone) - looks fine, but support only few checks
and is not under development since 2005
Have you any suggestion of other tools for this purposes ?
Also some guides/docs for doing pentest on web services will be helpful.
Hi Palko,
For web services you should look at SOAP UI:
http://www.soapui.org/Security/getting-started.html
Psiinon
On Fri, Nov 11, 2011 at 10:41 AM, Palko Marek marek.palko@lynx.sk wrote:
Firstly, I apologize, if this post isn’t at the right place.
We are looking for tool wich we can use to vulnerability test of web
service.
Best tool which I’ve found is WSFuzzer (OWASP).
Other:
-
wsScanner (Blueinfy) - support dotNET only (ASMX scheme) -
wsChess - same as wsScanner -
wsDigger (Foundstone) - looks fine, but support only few checks
and is not under development since 2005
Have you any suggestion of other tools for this purposes ?
Also some guides/docs for doing pentest on web services will be helpful.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
On Fri, Nov 11, 2011 at 05:37:55PM +0000, MaXe wrote:
I stumbled over this the other day:
http://www.securityaegis.com/web-application-testing-resources/
There is also a lot of tools mentioned on this page, including the most used generally. There's currently no better resource in my humble opinion, that I can recommend at the moment.
See https://www.owasp.org/index.php/Phoenix/Tools
We use SOAP UI and Burp. I am not sure if there is something better.
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
For Burp's pricing model, it is a great investment. Otherwise, the greatest tool is your creativity in breaking underlying assumptions.
Cheers,
John Menerick
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Pavol Luptak
Sent: Friday, November 11, 2011 3:47 PM
To: websecurity@lists.webappsec.org
Cc: marek.palko@lynx.sk
Subject: Re: [WEB SECURITY] FW: Web Service pentesting
On Fri, Nov 11, 2011 at 05:37:55PM +0000, MaXe wrote:
I stumbled over this the other day:
http://www.securityaegis.com/web-application-testing-resources/
There is also a lot of tools mentioned on this page, including the most used generally. There's currently no better resource in my humble opinion, that I can recommend at the moment.
See https://www.owasp.org/index.php/Phoenix/Tools
We use SOAP UI and Burp. I am not sure if there is something better.
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service.
Yup I'd tend to agree, SoapUI and Burp work well together for web
services. However, SoapUI does have some limitations with regards to
supporting WS-Security, namely WS-SecureConversation, as I painfully
found out last year. I managed to hunt down an alternative, WCFStorm,
which solved the problem though.
Cheers,
Tom
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Menerick,
John
Sent: 28 November 2011 16:24
To: Pavol Luptak; websecurity@lists.webappsec.org
Cc: marek.palko@lynx.sk
Subject: Re: [WEB SECURITY] FW: Web Service pentesting
For Burp's pricing model, it is a great investment. Otherwise, the
greatest tool is your creativity in breaking underlying assumptions.
Cheers,
John Menerick
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Pavol
Luptak
Sent: Friday, November 11, 2011 3:47 PM
To: websecurity@lists.webappsec.org
Cc: marek.palko@lynx.sk
Subject: Re: [WEB SECURITY] FW: Web Service pentesting
On Fri, Nov 11, 2011 at 05:37:55PM +0000, MaXe wrote:
I stumbled over this the other day:
http://www.securityaegis.com/web-application-testing-resources/
There is also a lot of tools mentioned on this page, including the
most used generally. There's currently no better resource in my humble
opinion, that I can recommend at the moment.
See https://www.owasp.org/index.php/Phoenix/Tools
We use SOAP UI and Burp. I am not sure if there is something better.
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel:
+421905400542]
NOTICE: This email and any attachments may contain confidential and
proprietary information of NetSuite Inc. and is for the sole use of the
intended recipient for the stated purpose. Any improper use or
distribution is prohibited. If you are not the intended recipient,
please notify the sender; do not review, copy or distribute; and
promptly delete or destroy all transmitted information. Please note
that all communications and information transmitted through this email
system may be monitored by NetSuite or its agents and that all incoming
email is automatically scanned by a third party spam and filtering
service.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.
org
Verizon UK Limited - registered in England & Wales - registered number 2776038 - registered office at Reading International Business Park, Basingstoke Road, Reading, Berkshire, UK RG2 6DA - VAT number 823 8170 33