|
Title: How to Penetration Test WebServices (WSDL) Post by: T_Bone on May 12, 2010, 12:58:00 PM Does anyone know of a good article, paper, website that discusses how to attack the 2.0 web service? It is totally blind without and do not have a front end, just a direct link to a .asmx?WSDL link?
Cheers Title: Re: How to Penetration Test WebServices (WSDL) Post by: Jhaddix on May 12, 2010, 01:04:26 PM feed the wsdl to founstone's WSDigger, then go to the top menu and chose to run tests, this will check for commonly known injection attacks.
Sec542 has a whole section on webservice hacking =) Title: Re: How to Penetration Test WebServices (WSDL) Post by: Manu Zacharia (-M-) on May 12, 2010, 01:06:46 PM This might help you:
http://www.owasp.org/index.php/Testing_WSDL_%28OWASP-WS-002%29 https://www.isecpartners.com/wsbang.html http://www.experts-exchange.com/articles/Web_Development/WebApplications/Testing-web-applications-and-web-services.html http://www.darknet.org.uk/2007/11/wsbang-python-based-soap-services-testing-tool/ Title: Re: How to Penetration Test WebServices (WSDL) Post by: T_Bone on May 12, 2010, 01:07:36 PM Yeah i noticed that SANS542 does have coverage on it but unforunately i cannot afford the course and dont think my company will pay for it as i have only been working as an entry level pen tester for 4 weeks!
Title: Re: How to Penetration Test WebServices (WSDL) Post by: Jhaddix on May 12, 2010, 05:37:25 PM Also CG did an excellent writeup of XPATH injection right here on EH.net =) Gives some tool mentioned above:
http://www.ethicalhacker.net/content/view/185/24/ Title: Re: How to Penetration Test WebServices (WSDL) Post by: T_Bone on May 13, 2010, 02:08:20 AM Thanks Jhaddix, much appreciated :)
Title: Re: How to Penetration Test WebServices (WSDL) Post by: cgseymour on May 14, 2010, 06:48:07 AM Along the same lines, are their any good books articles about pen testing a site where the wsdl is not published? It is a siverlight, asp.net site.
Thanks. chris Title: Re: How to Penetration Test WebServices (WSDL) Post by: Ketchup on May 14, 2010, 11:04:22 AM Your Silverlight application likely still accepts and processes user input. That's where most of the vulnerabilities come from. Using intercepting proxies, like WebScarab, Tamper Data, Burp, and others should still do the trick. You just to look at the app one request at a time and see what you can do with it.
Title: Re: How to Penetration Test WebServices (WSDL) Post by: H1t M0nk3y on July 08, 2010, 07:29:17 AM I also found that soapUI - http://www.eviware.com/soapUI/soapui-products-overview.html (http://www.eviware.com/soapUI/soapui-products-overview.html) is interesting when playing with web services.
Title: Re: How to Penetration Test WebServices (WSDL) Post by: T_Bone on September 09, 2010, 03:25:31 AM I have just purchased a book called "Hacking web services" by Shreeraj Shah. It is pretty old as it was published in 2006 but figured that it should give me a good foundation on on how to hack (provided the book is what it says on the front)... ill leave an update on it once I have read it and provide any tips for those whom may want to know.... If anyone else has any suggestions on books please let us know :)
Title: Re: How to Penetration Test WebServices (WSDL) Post by: H1t M0nk3y on September 09, 2010, 11:06:27 AM I would be interested in reading your review, I am currently pentesting WS!
Hope I won't miss too many things... ;)
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |