.

SOAP Web Services Vulnerability Scanner/Methodology

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Nov 15, 2012 10:37 am

SOAP Web Services Vulnerability Scanner/Methodology

Hi everyone,

I have been searching for tools to help test SOAP Web Services for vulnerabilities. I found on this very good site http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html that only commercial products perform VAs for Web Services.

The OWASP Testing Guide v3 (https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf) is good but is missing many things. I heard that the next version will cover Web Services in more details.

So in my search for free and open source tools, I found these:

1) WSDigger hasn't been updated since 2005 (http://www.mcafee.com/uk/downloads/free-tools/wsdigger.aspx)

2) WSFuzzer is good for what it does, but it doesn't cover everything...

3) Most people say they use SoapUI (very nice tool) linked with the Burp Suite (also very nice). Both tools support client certificate authentication. I can see great value in using these two tools after an automated vulnerability scan, but do you start your VA with them?

Also, there have been new little tools here and there, metasploit modules and other stuff, but not much in terms of automated vulnerability scans for XSS, CSRF, SQLi, XPATH injection and all the other WS-related vulnerabilities...

So do you guys know about better tools or methodologies?

Thanks in advance!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Nov 15, 2012 11:29 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

I haven't had much luck automating this type of thing. I actually just gave up on looking and made some hack-job in Python. The SUDS library (http://pypi.python.org/pypi/suds) was quick and easy to use, but it didn't respond to anomalous conditions well (which is what we're looking for). I'd use this for enumeration and review of valid operations, but go with something custom for the attack portion.

What I ended up doing was creating an XML template for their configuration and changed specific values in it as I iterated over a list. It required a bit of manual effort at the onset, but it definitely saved me time overall.

Let us know if you come across a better solution.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Nov 15, 2012 11:56 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

Thanks ajohnson,

I just spent 5 minutes going through suds documention and it is indeed a good library to write python code to interact with WS.

But as you said, it is not quite what I am looking for. So being a developer, I am starting to think about writting my own tool...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

ambient

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Feb 17, 2009 1:33 am

Location: Thailand

Post Mon Nov 19, 2012 2:14 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

Hello H1t M0nk3y,
from my experience, I used SoapUI to test web services. With the flexibility of input options the web service could use, I have never used an automated tool to test it. I think the result won't be good enough.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 19, 2012 7:51 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

Thanks ambient,

That's what I've heard from most people. I am very tempted in writting a tool to test WS... Because if you're like me, most of the tests I throw at WS could be automated.

My brain is going at a 100 MPH !!!  :o
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Nov 19, 2012 10:04 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

I'll be glad to assist, with testing and ideas, H1tMonk3y.

The WS stuff I've been coming up on, lately, in pentests, really drives home the need for better tools / more consistent approaches.  Not that individual tools and manual testing don't work, but it would be nice to have something that played a little nicer.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 19, 2012 11:01 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

Thanks hayabusa, I appreciate it!

So let's try to scope what a good and complete SOAP Web Service vulnerability scanner would have (please add to this list!!):

- WSDL discovery to generate requests (like SoapUI does)
- Support for SOAP 1.1 and 1.2
- Fuzzing attributes, values and header
- Replay requests
- Search for
    - SQL Injection
    - XSS
    - CSRF
    - XPath/XQuery
    - Malformed XML
- Testing the schema: maximum and minimum length, types, etc
- Support for basic authentication, client certificates (SSL/TLS)
- A GUI for color highlighting and stuff like that
- Multi-platform (I am a Java developer...)
- Being able to save your project
- Obfuscation and/or quiet mode?
- Throttle of some sort

What else? I would stay away from exploitation for now...

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Nov 19, 2012 11:42 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

I'll add more, as time and thought processes permit (busy morning for work, already...)

- ability to do automatic character / string detection / encoding in url's, etc
- Dictionary - ability to use and / or create file with current (and formerly found) WDSL method and element info, for reuse
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Nov 19, 2012 11:50 am

Re: SOAP Web Services Vulnerability Scanner/Methodology

Why not write an extension for Zed Attack Proxy? :) http://code.google.com/p/zap-extensions/ Psiinon is very active/responsive and and I'm sure would really appreciate the contribution.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Nov 19, 2012 12:01 pm

Re: SOAP Web Services Vulnerability Scanner/Methodology

tturner wrote:Why not write an extension for Zed Attack Proxy? :) http://code.google.com/p/zap-extensions/ Psiinon is very active/responsive and and I'm sure would really appreciate the contribution.


^^ Valid point, as well.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Nov 19, 2012 12:31 pm

Re: SOAP Web Services Vulnerability Scanner/Methodology

I've been using SoapUI and proxying it through Burp to leverage all that functionality. There are also fuzzing capabilities from within SoapUI but I've had better luck with Burp.

I've also found that a lot of the commercial tools are lacking for web services. Accunetix for example does support WS but not .NET WS ?! We have a "feature request" in but doesn't sound promising. Netsparker doesn't support it at all...
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 19, 2012 2:17 pm

Re: SOAP Web Services Vulnerability Scanner/Methodology

Thanks for the useful comments. I will look at ZAP closely before creating a new tool from scratch. No sense re-inventing the wheel if I don't need to...

Back to the scope, I agree that supporting the .Net web services is very important, but it's not that easy (too bad Microsoft always has to do their own things, like DataSet in WS). It could be easier to support the basic stuff, but the special .Net cases and exceptions could be tough to deal with.

Anyways, I will start with one thing at the time.

Do you guys see WS-Security often? I haven't seen any so far!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Nov 19, 2012 2:19 pm

Re: SOAP Web Services Vulnerability Scanner/Methodology

WS-Security...  not 'yet'
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Nov 19, 2012 6:04 pm

Re: SOAP Web Services Vulnerability Scanner/Methodology

Yeah, when it comes to Web Services it's hard to find any good tools. I did go through quite a few presentations (Don't drop the soap, etc.) and tools (WS Digger/Fuzzer, Acunetix, etc.) but none of them were very efficient.

Using SoapUI and Burp with e.g. the Intruder module is an easy way to fuzz. Just make sure you have a working WS request first that issues a normal response, so you have a base to start out with.

I wish there was a decent WS-scanner though, like something that actually works better than any tools out there, as I even have to spend a lot of time using SoapUI as well sometimes, when I have to figure out how the requests are formed, when the WSDL response is returning too much information about optional fields that does nothing.
I'm an InterN0T'er
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Nov 19, 2012 9:20 pm

Re: SOAP Web Services Vulnerability Scanner/Methodology

No kidding MaXe, SoapUI is a BEAST.
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software