Web Services and API Penetration Testing Part #1

Hi Readers, today we will learn about another interesting part of web services and API penetration testing part, this revolves around Security assessments of web services.

To start with let’s take a look at what web services are made of:

A web service is software composed of a standardized XML messaging system. The benefit of web services is that since all of its communication is in XML, they are not restricted to any operating system or programming languages, they are built on Web services are built on top of open standards such as TCP/IP, HTTP, Java, HTML, and XML.

The benefit of web services is that: since all of its communication is in XML, it is not restricted to any operating system or programming languages they are built on hence web service provides platform independence. The wide adoption of this in cloud services, Governments, or Service-oriented architectures, has resulted in expanding the scope of security challenges such as Injection Attacks, phishing, Denial-of-Services (DoS) attacks, and so on.  Penetration testing on web services reduces the potential attacks possible due to the vulnerabilities in web services.

Component of web services:

• Service Consumer: It is a client who requests for particular web services
• Service Provider: It is a server which provides a response to the client

Anatomy of Web Services

In simple language, any basic web services platform is a combination of XML and HTTP.

They can be of:

• XML (Extensible Markup Language)

XML is a language used to communicate in the form of the SOAP message.

• SOAP (Simple Object Access Protocol)

Web services use SOAP format to send XML requests. Here, a client sends the request in SOAP and the server responds back in SOAP along with the requested service. SOAP messages basically consist of a Root Envelope element with two child elements named Header and Body: The SOAP header can contain application-specific information about SOAP Message which is considered as metadata of SOAP Message. The SOAP body contains actual SOAP Message which is used for storing a Web Service operation and its parameters. The concrete structure of the SOAP message is used to communicate with a Web Service and the binding information is described in the Web Service Description Language (WSDL).

• UDDI (Universal Description, Discovery, and Integration)

UDDI contains a list of service providers who registered for the particular web service so request consumers or clients can find for all service providers for any web service in UDDI.

• WSDL (Web Services Description Language)

WSDL file describes the way of accessing web services. Each web service is described in WSDL as It contains all the crucial information about the web service to be tested. It is extensible to allow the description of endpoints and their messages regardless of what message formats or network protocols are used to communicate.

Now, Let’s take a look at a SOAP-based Web Service Anatomy:

How does a Web Service Work

Web services depend on

• XML to tag the data
• SOAP to transfer a message
• WSDL to describe the availability of service.

Let’s take a look at a SOAP-based Web Service Anatomy:

Web services contain various components that maintain the standard of communication. When any Service Consumer wants to use web service, they need to request for the web service from the service providers. Here XML data in the SOAP format is used to communicate with the service provider to request any web services as specified in the WSDL file. The WSDL file is given by service providers to service consumers which defines the way of accessing web services. If Service Consumer is not aware of any Web Service Provider it will look for the UDDI which maintains the list of service providers for the particular web service.

SOAP Web Service Structure:

Penetration Testing on Web Services:

To begin penetration testing WebServices, we always require the following as preliminary:

1.  Sample API file ( WSDL/ SOAP etc)
2. Sample request/ response ( to understand the values and data passing
3. Entry points/ URLs

Tools for performing web services penetration testing:

• Fiddler
• Burp Suite
• Acunetix/IBM Security AppScan
• ZAP Proxy
• Curl
• SOAP UI

That’s all for now, in the next part of this series, we will learn about the test cases, methods, and tools used for Penetration Testing Web Services.