I have been searching for tools to help test SOAP Web Services for vulnerabilities. I found on this very good site http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html that only commercial products perform VAs for Web Services.
The OWASP Testing Guide v3 (https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf) is good but is missing many things. I heard that the next version will cover Web Services in more details.
So in my search for free and open source tools, I found these:
1) WSDigger hasn't been updated since 2005 (http://www.mcafee.com/uk/downloads/free-tools/wsdigger.aspx)
2) WSFuzzer is good for what it does, but it doesn't cover everything...
3) Most people say they use SoapUI (very nice tool) linked with the Burp Suite (also very nice). Both tools support client certificate authentication. I can see great value in using these two tools after an automated vulnerability scan, but do you start your VA with them?
Also, there have been new little tools here and there, metasploit modules and other stuff, but not much in terms of automated vulnerability scans for XSS, CSRF, SQLi, XPATH injection and all the other WS-related vulnerabilities...
So do you guys know about better tools or methodologies?
Thanks in advance!