How to Penetration Test WebServices (WSDL)

Viewing 10 reply threads
  • Author
    Posts
    • #5039
      T_Bone
      Participant

      Does anyone know of a good article, paper, website that discusses how to attack the 2.0 web service?  It is totally blind without and do not have a front end, just a direct link to a .asmx?WSDL link?

      Cheers

    • #31943
      Jhaddix
      Participant

      feed the wsdl to founstone’s WSDigger, then go to the top menu and chose to run tests, this will check for commonly known injection attacks.

      Sec542 has a whole section on webservice hacking =)

    • #31944
      morpheus063
      Participant
    • #31945
      T_Bone
      Participant

      Yeah i noticed that SANS542 does have coverage on it but unforunately i cannot afford the course and dont think my company will pay for it as i have only been working as an entry level pen tester for 4 weeks!

    • #31946
      Jhaddix
      Participant

      Also CG did an excellent writeup of XPATH injection right here on EH.net =) Gives some tool mentioned above:

      http://www.ethicalhacker.net/content/view/185/24/

    • #31947
      T_Bone
      Participant

      Thanks Jhaddix, much appreciated 🙂

    • #31948
      cgseymour
      Participant

      Along the same lines, are their any good books articles about pen testing a site where the wsdl is not published?  It is a siverlight, asp.net site.

      Thanks.

      chris

    • #31949
      Ketchup
      Participant

      Your Silverlight application likely still accepts and processes user input.  That’s where most of the vulnerabilities come from.  Using intercepting proxies, like WebScarab, Tamper Data, Burp, and others should still do the trick.  You just to look at the app one request at a time and see what you can do with it.

    • #31950
      caissyd
      Participant

      I also found that soapUI – http://www.eviware.com/soapUI/soapui-products-overview.html is interesting when playing with web services.

    • #31951
      T_Bone
      Participant

      I have just purchased a book called “Hacking web services” by Shreeraj Shah.  It is pretty old as it was published in 2006 but figured that it should give me a good foundation on on how to hack (provided the book is what it says on the front)… ill leave an update on it once I have read it and provide any tips for those whom may want to know…. If anyone else has any suggestions on books please let us know  🙂

    • #31952
      caissyd
      Participant

      I would be interested in reading your review, I am currently pentesting WS!

      Hope I won’t miss too many things…  😉

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?