Hi everyone,

I have been searching for tools to help test SOAP Web Services for vulnerabilities. I found on this very good site http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html that only commercial products perform VAs for Web Services.

The OWASP Testing Guide v3 (https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf) is good but is missing many things. I heard that the next version will cover Web Services in more details.

So in my search for free and open source tools, I found these:

1) WSDigger hasn't been updated since 2005 (http://www.mcafee.com/uk/downloads/free-tools/wsdigger.aspx)

2) WSFuzzer is good for what it does, but it doesn't cover everything...

3) Most people say they use SoapUI (very nice tool) linked with the Burp Suite (also very nice). Both tools support client certificate authentication. I can see great value in using these two tools after an automated vulnerability scan, but do you start your VA with them?

Also, there have been new little tools here and there, metasploit modules and other stuff, but not much in terms of automated vulnerability scans for XSS, CSRF, SQLi, XPATH injection and all the other WS-related vulnerabilities...

So do you guys know about better tools or methodologies?

Thanks in advance!

Thanks ajohnson,

I just spent 5 minutes going through suds documention and it is indeed a good library to write python code to interact with WS.

But as you said, it is not quite what I am looking for. So being a developer, I am starting to think about writting my own tool...

Thanks ambient,

That's what I've heard from most people. I am very tempted in writting a tool to test WS... Because if you're like me, most of the tests I throw at WS could be automated.

My brain is going at a 100 MPH !!! 

Thanks hayabusa, I appreciate it!

So let's try to scope what a good and complete SOAP Web Service vulnerability scanner would have (please add to this list!!):

- WSDL discovery to generate requests (like SoapUI does)
- Support for SOAP 1.1 and 1.2
- Fuzzing attributes, values and header
- Replay requests
- Search for
    - SQL Injection
    - XSS
    - CSRF
    - XPath/XQuery
    - Malformed XML
- Testing the schema: maximum and minimum length, types, etc
- Support for basic authentication, client certificates (SSL/TLS)
- A GUI for color highlighting and stuff like that
- Multi-platform (I am a Java developer...)
- Being able to save your project
- Obfuscation and/or quiet mode?
- Throttle of some sort

What else? I would stay away from exploitation for now...

Thanks

Why not write an extension for Zed Attack Proxy? http://code.google.com/p/zap-extensions/ Psiinon is very active/responsive and and I'm sure would really appreciate the contribution.

I've been using SoapUI and proxying it through Burp to leverage all that functionality. There are also fuzzing capabilities from within SoapUI but I've had better luck with Burp.

I've also found that a lot of the commercial tools are lacking for web services. Accunetix for example does support WS but not .NET WS ?! We have a "feature request" in but doesn't sound promising. Netsparker doesn't support it at all...

WS-Security...  not 'yet'

No kidding MaXe, SoapUI is a BEAST.