How to Penetration Test WebServices (WSDL)

This topic contains 10 replies, has 6 voices, and was last updated by  caissyd 9 years ago.

  • Author
    Posts
  • #5039
     T_Bone 
    Participant

    Does anyone know of a good article, paper, website that discusses how to attack the 2.0 web service?  It is totally blind without and do not have a front end, just a direct link to a .asmx?WSDL link?

    Cheers

  • #31943
     Jhaddix 
    Participant

    feed the wsdl to founstone’s WSDigger, then go to the top menu and chose to run tests, this will check for commonly known injection attacks.

    Sec542 has a whole section on webservice hacking =)

  • #31944
     morpheus063 
    Participant
  • #31945
     T_Bone 
    Participant

    Yeah i noticed that SANS542 does have coverage on it but unforunately i cannot afford the course and dont think my company will pay for it as i have only been working as an entry level pen tester for 4 weeks!

  • #31946
     Jhaddix 
    Participant

    Also CG did an excellent writeup of XPATH injection right here on EH.net =) Gives some tool mentioned above:

    http://www.ethicalhacker.net/content/view/185/24/

  • #31947
     T_Bone 
    Participant

    Thanks Jhaddix, much appreciated 🙂

  • #31948
     cgseymour 
    Participant

    Along the same lines, are their any good books articles about pen testing a site where the wsdl is not published?  It is a siverlight, asp.net site.

    Thanks.

    chris

  • #31949
     Ketchup 
    Participant

    Your Silverlight application likely still accepts and processes user input.  That’s where most of the vulnerabilities come from.  Using intercepting proxies, like WebScarab, Tamper Data, Burp, and others should still do the trick.  You just to look at the app one request at a time and see what you can do with it.

  • #31950
     caissyd 
    Participant

    I also found that soapUI – http://www.eviware.com/soapUI/soapui-products-overview.html is interesting when playing with web services.

  • #31951
     T_Bone 
    Participant

    I have just purchased a book called “Hacking web services” by Shreeraj Shah.  It is pretty old as it was published in 2006 but figured that it should give me a good foundation on on how to hack (provided the book is what it says on the front)… ill leave an update on it once I have read it and provide any tips for those whom may want to know…. If anyone else has any suggestions on books please let us know  🙂

  • #31952
     caissyd 
    Participant

    I would be interested in reading your review, I am currently pentesting WS!

    Hope I won’t miss too many things…  😉

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?