SOAP Web Services Vulnerability Scanner/Methodology

Viewing 21 reply threads
  • Author
    Posts
    • #8032
      caissyd
      Participant

      Hi everyone,

      I have been searching for tools to help test SOAP Web Services for vulnerabilities. I found on this very good site http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html that only commercial products perform VAs for Web Services.

      The OWASP Testing Guide v3 (https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf) is good but is missing many things. I heard that the next version will cover Web Services in more details.

      So in my search for free and open source tools, I found these:

      1) WSDigger hasn’t been updated since 2005 (http://www.mcafee.com/uk/downloads/free-tools/wsdigger.aspx)

      2) WSFuzzer is good for what it does, but it doesn’t cover everything…

      3) Most people say they use SoapUI (very nice tool) linked with the Burp Suite (also very nice). Both tools support client certificate authentication. I can see great value in using these two tools after an automated vulnerability scan, but do you start your VA with them?

      Also, there have been new little tools here and there, metasploit modules and other stuff, but not much in terms of automated vulnerability scans for XSS, CSRF, SQLi, XPATH injection and all the other WS-related vulnerabilities…

      So do you guys know about better tools or methodologies?

      Thanks in advance!

    • #50896
      dynamik
      Participant

      I haven’t had much luck automating this type of thing. I actually just gave up on looking and made some hack-job in Python. The SUDS library (http://pypi.python.org/pypi/suds) was quick and easy to use, but it didn’t respond to anomalous conditions well (which is what we’re looking for). I’d use this for enumeration and review of valid operations, but go with something custom for the attack portion.

      What I ended up doing was creating an XML template for their configuration and changed specific values in it as I iterated over a list. It required a bit of manual effort at the onset, but it definitely saved me time overall.

      Let us know if you come across a better solution.

    • #50897
      caissyd
      Participant

      Thanks ajohnson,

      I just spent 5 minutes going through suds documention and it is indeed a good library to write python code to interact with WS.

      But as you said, it is not quite what I am looking for. So being a developer, I am starting to think about writting my own tool…

    • #50898
      ambient
      Participant

      Hello H1t M0nk3y,
      from my experience, I used SoapUI to test web services. With the flexibility of input options the web service could use, I have never used an automated tool to test it. I think the result won’t be good enough.

    • #50899
      caissyd
      Participant

      Thanks ambient,

      That’s what I’ve heard from most people. I am very tempted in writting a tool to test WS… Because if you’re like me, most of the tests I throw at WS could be automated.

      My brain is going at a 100 MPH !!!  😮

    • #50900
      hayabusa
      Participant

      I’ll be glad to assist, with testing and ideas, H1tMonk3y.

      The WS stuff I’ve been coming up on, lately, in pentests, really drives home the need for better tools / more consistent approaches.  Not that individual tools and manual testing don’t work, but it would be nice to have something that played a little nicer.

    • #50901
      caissyd
      Participant

      Thanks hayabusa, I appreciate it!

      So let’s try to scope what a good and complete SOAP Web Service vulnerability scanner would have (please add to this list!!):

      – WSDL discovery to generate requests (like SoapUI does)
      – Support for SOAP 1.1 and 1.2
      – Fuzzing attributes, values and header
      – Replay requests
      – Search for
          – SQL Injection
          – XSS
          – CSRF
          – XPath/XQuery
          – Malformed XML
      – Testing the schema: maximum and minimum length, types, etc
      – Support for basic authentication, client certificates (SSL/TLS)
      – A GUI for color highlighting and stuff like that
      – Multi-platform (I am a Java developer…)
      – Being able to save your project
      – Obfuscation and/or quiet mode?
      – Throttle of some sort

      What else? I would stay away from exploitation for now…

      Thanks

    • #50902
      hayabusa
      Participant

      I’ll add more, as time and thought processes permit (busy morning for work, already…)

      – ability to do automatic character / string detection / encoding in url’s, etc
      – Dictionary – ability to use and / or create file with current (and formerly found) WDSL method and element info, for reuse

    • #50903
      tturner
      Participant

      Why not write an extension for Zed Attack Proxy? 🙂 http://code.google.com/p/zap-extensions/ Psiinon is very active/responsive and and I’m sure would really appreciate the contribution.

    • #50904
      hayabusa
      Participant

      @tturner wrote:

      Why not write an extension for Zed Attack Proxy? 🙂 http://code.google.com/p/zap-extensions/ Psiinon is very active/responsive and and I’m sure would really appreciate the contribution.

      ^^ Valid point, as well.

    • #50905
      cd1zz
      Participant

      I’ve been using SoapUI and proxying it through Burp to leverage all that functionality. There are also fuzzing capabilities from within SoapUI but I’ve had better luck with Burp.

      I’ve also found that a lot of the commercial tools are lacking for web services. Accunetix for example does support WS but not .NET WS ?! We have a “feature request” in but doesn’t sound promising. Netsparker doesn’t support it at all…

    • #50906
      caissyd
      Participant

      Thanks for the useful comments. I will look at ZAP closely before creating a new tool from scratch. No sense re-inventing the wheel if I don’t need to…

      Back to the scope, I agree that supporting the .Net web services is very important, but it’s not that easy (too bad Microsoft always has to do their own things, like DataSet in WS). It could be easier to support the basic stuff, but the special .Net cases and exceptions could be tough to deal with.

      Anyways, I will start with one thing at the time.

      Do you guys see WS-Security often? I haven’t seen any so far!

    • #50907
      hayabusa
      Participant

      WS-Security…  not ‘yet’

    • #50908
      MaXe
      Participant

      Yeah, when it comes to Web Services it’s hard to find any good tools. I did go through quite a few presentations (Don’t drop the soap, etc.) and tools (WS Digger/Fuzzer, Acunetix, etc.) but none of them were very efficient.

      Using SoapUI and Burp with e.g. the Intruder module is an easy way to fuzz. Just make sure you have a working WS request first that issues a normal response, so you have a base to start out with.

      I wish there was a decent WS-scanner though, like something that actually works better than any tools out there, as I even have to spend a lot of time using SoapUI as well sometimes, when I have to figure out how the requests are formed, when the WSDL response is returning too much information about optional fields that does nothing.

    • #50909
      cd1zz
      Participant

      No kidding MaXe, SoapUI is a BEAST.

    • #50910
      caissyd
      Participant

      Thanks MaXe,

      But other than what we have listed earlier, what features would you like to see in this WS Scanner?

      Guys, I am very serious about writing a tool for that…

    • #50911
      MaXe
      Participant

      The ability to request ?wsdl from a URL where it isn’t specified by default, form the XML request without redundant headers (e.g. the same header mentioned several times), interpreting WS-Security error messages and relaying them to the user saying e.g. “You need to specify a valid username and password”, and when the basic request has been formed, the ability to fuzz each field, look at the response for both returned values and error messages and report that to the user 🙂

      In essence, creating a working XML request can sometimes be tricky with some clients where their ?wsdl specifies another endpoint than what you have been given, so the tool should also be able to use a hardcoded ?wsdl URL that does not change even if the ?wsdl says otherwise. The tool should accept sample requests provided by the user, which the user knows is working, bypassing the initial phase/process in the program of creating a working XML request that responds as it should.

      Just some ideas and the most annoying issues I have come across when testing.

      Oh yeah, the tool should be able to proxy as well, so it can go through Burp, etc.

      I am mostly experiencing issues with a WSDL defining too much (useless) information and incorrect endpoints when I am testing a WSDL that has just been moved from one location to another (from production to development) where the WSDL hasn’t been updated.

    • #50912
      hayabusa
      Participant

      @MaXe wrote:

      I am mostly experiencing issues with a WSDL defining too much (useless) information and incorrect endpoints when I am testing a WSDL that has just been moved from one location to another (from production to development) where the WSDL hasn’t been updated.

      ++1 to the ‘useless’ data piece (and the rest, but definitely that)

    • #50913
      caissyd
      Participant

      Excellent MaXe, thanks a lot. I agree with all the required features. Thanks again!!

      So I am “All In” now. I have started working on this project last weekend and at this point, I can send, receive and parse SOAP web services. Basic fuzzing will be the next step so in about a week from now, this part should be working.

      I suspect that the Alpha version will be ready in March 2013. I will keep you guys posted! I will need knowledgeable testers…  😉

    • #50914
      dynamik
      Participant

      What are you writing this in (I seem to remember you working with Java)?

      Have you thought about using Burp Extender? http://portswigger.net/burp/extender/

    • #50915
      caissyd
      Participant

      Yes, it’s in Java.

      As for the Burp Extender, I have an hard time working for free for a commercial tool (even if they have a community version)… :-

    • #50916
      tturner
      Participant

      @H1t M0nk3y wrote:

      Yes, it’s in Java.

      As for the Burp Extender, I have an hard time working for free for a commercial tool (even if they have a community version)… :-

      Which was why I mentioned ZAP 🙂

Viewing 21 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?