.

Web Services PT - WSDigger authentication

<<

JollyJokker

Post Tue Sep 27, 2011 4:25 am

Web Services PT - WSDigger authentication

and here I am, pentesting a web application with its web services exposed. The .asmx service is available and the wsdl is gladly provided.

However, the wsdl and all are available from within an authenticated session. The problem is, how to load the wsdl file (and create an authenticated session with username & password) on a Web Services sec tool such as WS-Digger.

The same problem is applicable for soapUI. The tool cannot access the WSDL document as application authentication is required. I did download the WSDL document and uploaded it to soapUI but when a test case is to be run, it fails miserably (even though I do provide the username and password in the Request parameters)

So, my question would be on how you assess Web Services that are protected behind an authenticated session and how it would be possible to provide WSDigger (or soapUI) with the necessary credentials in order to be able and fetch the supported methods.

Thanks!

~/h0rdakk
Last edited by JollyJokker on Tue Sep 27, 2011 5:40 am, edited 1 time in total.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue Sep 27, 2011 10:18 am

Re: Web Services PT - WSDigger authentication

Why not configure soapUI to use Burp and handle authentication within Burp? Have not tried this personally but based on my understanding it *should* work. Let us know how this goes. I'm interested in web services but have not formally performed any WS tests.

*EDIT* maybe check out what looks to be an excellent post at http://resources.infosecinstitute.com/soap-attack-1/
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software