.

How to Penetration Test WebServices (WSDL)

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed May 12, 2010 12:58 pm

How to Penetration Test WebServices (WSDL)

Does anyone know of a good article, paper, website that discusses how to attack the 2.0 web service?  It is totally blind without and do not have a front end, just a direct link to a .asmx?WSDL link?

Cheers
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed May 12, 2010 1:04 pm

Re: How to Penetration Test WebServices (WSDL)

feed the wsdl to founstone's WSDigger, then go to the top menu and chose to run tests, this will check for commonly known injection attacks.

Sec542 has a whole section on webservice hacking =)
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Wed May 12, 2010 1:06 pm

Re: How to Penetration Test WebServices (WSDL)

Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed May 12, 2010 1:07 pm

Re: How to Penetration Test WebServices (WSDL)

Yeah i noticed that SANS542 does have coverage on it but unforunately i cannot afford the course and dont think my company will pay for it as i have only been working as an entry level pen tester for 4 weeks!
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed May 12, 2010 5:37 pm

Re: How to Penetration Test WebServices (WSDL)

Also CG did an excellent writeup of XPATH injection right here on EH.net =) Gives some tool mentioned above:

http://www.ethicalhacker.net/content/view/185/24/
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Thu May 13, 2010 2:08 am

Re: How to Penetration Test WebServices (WSDL)

Thanks Jhaddix, much appreciated :)
<<

cgseymour

Newbie
Newbie

Posts: 3

Joined: Thu May 14, 2009 8:32 am

Post Fri May 14, 2010 6:48 am

Re: How to Penetration Test WebServices (WSDL)

Along the same lines, are their any good books articles about pen testing a site where the wsdl is not published?  It is a siverlight, asp.net site.

Thanks.

chris
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 14, 2010 11:04 am

Re: How to Penetration Test WebServices (WSDL)

Your Silverlight application likely still accepts and processes user input.  That's where most of the vulnerabilities come from.  Using intercepting proxies, like WebScarab, Tamper Data, Burp, and others should still do the trick.  You just to look at the app one request at a time and see what you can do with it.
~~~~~~~~~~~~~~
Ketchup
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jul 08, 2010 7:29 am

Re: How to Penetration Test WebServices (WSDL)

I also found that soapUI - http://www.eviware.com/soapUI/soapui-products-overview.html is interesting when playing with web services.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Thu Sep 09, 2010 3:25 am

Re: How to Penetration Test WebServices (WSDL)

I have just purchased a book called "Hacking web services" by Shreeraj Shah.  It is pretty old as it was published in 2006 but figured that it should give me a good foundation on on how to hack (provided the book is what it says on the front)... ill leave an update on it once I have read it and provide any tips for those whom may want to know.... If anyone else has any suggestions on books please let us know  :)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Sep 09, 2010 11:06 am

Re: How to Penetration Test WebServices (WSDL)

I would be interested in reading your review, I am currently pentesting WS!

Hope I won't miss too many things...  ;)
Last edited by caissyd on Thu Sep 09, 2010 12:04 pm, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software