SOAP Web Services Vulnerability Scanner/Methodology

[H1t M0nk3y]

Hi everyone,

I have been searching for tools to help test SOAP Web Services for vulnerabilities. I found on this very good site http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html that only commercial products perform VAs for Web Services.

The OWASP Testing Guide v3 (https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf) is good but is missing many things. I heard that the next version will cover Web Services in more details.

So in my search for free and open source tools, I found these:

1) WSDigger hasn't been updated since 2005 (http://www.mcafee.com/uk/downloads/free-tools/wsdigger.aspx)

2) WSFuzzer is good for what it does, but it doesn't cover everything...

3) Most people say they use SoapUI (very nice tool) linked with the Burp Suite (also very nice). Both tools support client certificate authentication. I can see great value in using these two tools after an automated vulnerability scan, but do you start your VA with them?

Also, there have been new little tools here and there, metasploit modules and other stuff, but not much in terms of automated vulnerability scans for XSS, CSRF, SQLi, XPATH injection and all the other WS-related vulnerabilities...

So do you guys know about better tools or methodologies?

Thanks in advance!

[ajohnson]

I haven't had much luck automating this type of thing. I actually just gave up on looking and made some hack-job in Python. The SUDS library (http://pypi.python.org/pypi/suds) was quick and easy to use, but it didn't respond to anomalous conditions well (which is what we're looking for). I'd use this for enumeration and review of valid operations, but go with something custom for the attack portion.

What I ended up doing was creating an XML template for their configuration and changed specific values in it as I iterated over a list. It required a bit of manual effort at the onset, but it definitely saved me time overall.

Let us know if you come across a better solution.

[H1t M0nk3y]

Thanks ajohnson,

I just spent 5 minutes going through suds documention and it is indeed a good library to write python code to interact with WS.

But as you said, it is not quite what I am looking for. So being a developer, I am starting to think about writting my own tool...

[ambient]

Hello H1t M0nk3y,
from my experience, I used SoapUI to test web services. With the flexibility of input options the web service could use, I have never used an automated tool to test it. I think the result won't be good enough.

[H1t M0nk3y]

Thanks ambient,

That's what I've heard from most people. I am very tempted in writting a tool to test WS... Because if you're like me, most of the tests I throw at WS could be automated.

My brain is going at a 100 MPH !!! 

[hayabusa]

I'll be glad to assist, with testing and ideas, H1tMonk3y.

The WS stuff I've been coming up on, lately, in pentests, really drives home the need for better tools / more consistent approaches.  Not that individual tools and manual testing don't work, but it would be nice to have something that played a little nicer.

[H1t M0nk3y]

Thanks hayabusa, I appreciate it!

So let's try to scope what a good and complete SOAP Web Service vulnerability scanner would have (please add to this list!!):

- WSDL discovery to generate requests (like SoapUI does)
- Support for SOAP 1.1 and 1.2
- Fuzzing attributes, values and header
- Replay requests
- Search for
    - SQL Injection
    - XSS
    - CSRF
    - XPath/XQuery
    - Malformed XML
- Testing the schema: maximum and minimum length, types, etc
- Support for basic authentication, client certificates (SSL/TLS)
- A GUI for color highlighting and stuff like that
- Multi-platform (I am a Java developer...)
- Being able to save your project
- Obfuscation and/or quiet mode?
- Throttle of some sort

What else? I would stay away from exploitation for now...

Thanks

[hayabusa]

I'll add more, as time and thought processes permit (busy morning for work, already...)

- ability to do automatic character / string detection / encoding in url's, etc
- Dictionary - ability to use and / or create file with current (and formerly found) WDSL method and element info, for reuse

[tturner]

Why not write an extension for Zed Attack Proxy? http://code.google.com/p/zap-extensions/ Psiinon is very active/responsive and and I'm sure would really appreciate the contribution.

[hayabusa]

Why not write an extension for Zed Attack Proxy? http://code.google.com/p/zap-extensions/ Psiinon is very active/responsive and and I'm sure would really appreciate the contribution.

^^ Valid point, as well.

[cd1zz]

I've been using SoapUI and proxying it through Burp to leverage all that functionality. There are also fuzzing capabilities from within SoapUI but I've had better luck with Burp.

I've also found that a lot of the commercial tools are lacking for web services. Accunetix for example does support WS but not .NET WS ?! We have a "feature request" in but doesn't sound promising. Netsparker doesn't support it at all...

[H1t M0nk3y]

Thanks for the useful comments. I will look at ZAP closely before creating a new tool from scratch. No sense re-inventing the wheel if I don't need to...

Back to the scope, I agree that supporting the .Net web services is very important, but it's not that easy (too bad Microsoft always has to do their own things, like DataSet in WS). It could be easier to support the basic stuff, but the special .Net cases and exceptions could be tough to deal with.

Anyways, I will start with one thing at the time.

Do you guys see WS-Security often? I haven't seen any so far!

[hayabusa]

WS-Security...  not 'yet'

[MaXe]

Yeah, when it comes to Web Services it's hard to find any good tools. I did go through quite a few presentations (Don't drop the soap, etc.) and tools (WS Digger/Fuzzer, Acunetix, etc.) but none of them were very efficient.

Using SoapUI and Burp with e.g. the Intruder module is an easy way to fuzz. Just make sure you have a working WS request first that issues a normal response, so you have a base to start out with.

I wish there was a decent WS-scanner though, like something that actually works better than any tools out there, as I even have to spend a lot of time using SoapUI as well sometimes, when I have to figure out how the requests are formed, when the WSDL response is returning too much information about optional fields that does nothing.

[cd1zz]

No kidding MaXe, SoapUI is a BEAST.