Title: Web Services PT - WSDigger authentication
Post by: JollyJokker on September 27, 2011, 04:25:39 AM
and here I am, pentesting a web application with its web services exposed. The .asmx service is available and the wsdl is gladly provided.
However, the wsdl and all are available from within an authenticated session. The problem is, how to load the wsdl file (and create an authenticated session with username & password) on a Web Services sec tool such as WS-Digger.
The same problem is applicable for soapUI. The tool cannot access the WSDL document as application authentication is required. I did download the WSDL document and uploaded it to soapUI but when a test case is to be run, it fails miserably (even though I do provide the username and password in the Request parameters)
So, my question would be on how you assess Web Services that are protected behind an authenticated session and how it would be possible to provide WSDigger (or soapUI) with the necessary credentials in order to be able and fetch the supported methods.
Title: Re: Web Services PT - WSDigger authentication
Post by: tturner on September 27, 2011, 10:18:45 AM
Why not configure soapUI to use Burp and handle authentication within Burp? Have not tried this personally but based on my understanding it *should* work. Let us know how this goes. I'm interested in web services but have not formally performed any WS tests.
*EDIT* maybe check out what looks to be an excellent post at http://resources.infosecinstitute.com/soap-attack-1/