May 14, 2010 at 12:14 pm #5047cgseymourParticipant
I am a somewhat newbie pen-tester. I have been tasked by my company to pen test one of our web sites (Silverlight, ASP.Net).
The WSDL is not published.
How could I go about creating a local client to try to consume some of the web services?
Any articles, books, tutorials or pointers would be greatly appreciated.
May 14, 2010 at 12:56 pm #32020Dengar13Participant
Hello and welcome to the forum!
I am sorry if I do not understand what you are exactly asking; what do you mean when by “creating a local client to try to consume some of the web services?”
Are you saying that the site(s) are in the developmental stages and you want to run local pen tests?
May 14, 2010 at 4:08 pm #32021cgseymourParticipant
Sorry I wasn’t more clear
What I would like to be able to do, is to see if I could create a local client (say in c#) that would call the remote web service to see if I can return information from the service without proper authorization.
So within the company application this service would require authorization and authentication — I want to see if it is possible to access the web service without the proper credentials and determine if any of th company data could be at risk
I hope that makes more sense.
May 14, 2010 at 5:04 pm #32022KetchupParticipant
I may be missing something, but I don’t think that you have to write anything for that. Fire up any intercepting proxy based tool, like Burp or WebScarab, access your web application through the proxy. It will begin to record all requests. You can then manipulate those requests and replay them, all in the tool.
May 14, 2010 at 7:03 pm #32023caissydParticipant
I have wrote several web services myself for a “Big Bank” and the best tool to use is soapUI http://www.soapui.org/. Very easy to use.
The WSDL is not published
What do you mean by the WSDL is not published? It should always be… That’s one of the fundamental piece of SOAP. Do you mean there is no “publicity” about them or they aren’t available at all? If they aren’t available, then soapUI isn’t the best tool…
- You must be logged in to reply to this topic.