HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 38 guests and 4 members online
 
Advertisement

You are here:
EH-Net
May 23, 2013, 07:18:07 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Web Services PT - WSDigger authentication  (Read 5762 times)
0 Members and 1 Guest are viewing this topic.
JollyJokker
Guest
« on: September 27, 2011, 04:25:39 AM »
and here I am, pentesting a web application with its web services exposed. The .asmx service is available and the wsdl is gladly provided.

However, the wsdl and all are available from within an authenticated session. The problem is, how to load the wsdl file (and create an authenticated session with username & password) on a Web Services sec tool such as WS-Digger.

The same problem is applicable for soapUI. The tool cannot access the WSDL document as application authentication is required. I did download the WSDL document and uploaded it to soapUI but when a test case is to be run, it fails miserably (even though I do provide the username and password in the Request parameters)

So, my question would be on how you assess Web Services that are protected behind an authenticated session and how it would be possible to provide WSDigger (or soapUI) with the necessary credentials in order to be able and fetch the supported methods.

Thanks!

~/h0rdakk
« Last Edit: September 27, 2011, 05:40:11 AM by h0rdakk » Logged
tturner
Sr. Member
****
Offline Offline

Posts: 432


View Profile WWW
« Reply #1 on: September 27, 2011, 10:18:45 AM »
Why not configure soapUI to use Burp and handle authentication within Burp? Have not tried this personally but based on my understanding it *should* work. Let us know how this goes. I'm interested in web services but have not formally performed any WS tests.

*EDIT* maybe check out what looks to be an excellent post at http://resources.infosecinstitute.com/soap-attack-1/
Logged
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, OPSE, CSWAE, CSTP, VCP

WIP: OSWP, GSSP-JAVA, GXPN

Udacity on hold, again. I suck.

http://sentinel24.com/blog  @tonylturner http://bsidesorlando.org
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.064 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.