Web Services and API Penetration Testing Part #1

Hi Readers, today we will learn about another interesting part of web services and API penetration testing part, this revolves around Security assessments of web services.

To start with let’s take a look at what web services are made of:

A web service is software composed of standardized XML messaging system. The benefit of web services are since all of its communication is in XML, they are not restricted to any  operating system or programming languages, they are built on Web services are built on top of open standards such as TCP/IP, HTTP, Java, HTML, and XML.

Anatomy of Web Services

In simple language, any basic web services platform is a combination of XML and HTTP.

They can be of:

  • SOAP (Simple Object Access Protocol)
  • UDDI (Universal Description, Discovery and Integration)
  • WSDL (Web Services Description Language)

How does a Web Service Work

Web services depends on

  • XML to tag the data ( as markup and sy
  • SOAP to transfer a message
  • WSDL to describe the availability of service.

Let’s take a look at a SOAP based Web Service Anatomy:

SOAP Service Structure
SOAP Service Structure


Web Services Layout
Web Services Layout

Penetration Testing on Web Services:

To begin penetration testing WebServices, we always require the following as preliminary:

1)            Sample API file ( WSDL/ SOAP etc)

2)            Sample request/ response ( to understand the values and data passing)

3)            Entry points/ URLs

Tools for performing web services penetration testing:

  • Fiddler
  • Burp Suite
  • Acunetix/IBM Security AppScan
  • ZAP Proxy
  • Curl

That’s all for now, in the next part of this series, we will learn about the test cases, methods and tools usage for Penetration Testing Web Services.

View one comment on “Web Services and API Penetration Testing Part #1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.