Hi Readers, today we will learn about another interesting part of web services and API penetration testing part, this revolves around Security assessments of web services.
To start with let’s take a look at what web services are made of:
A web service is software composed of a standardized XML messaging system. The benefit of web services is that since all of its communication is in XML, they are not restricted to any operating system or programming languages, they are built on Web services are built on top of open standards such as TCP/IP, HTTP, Java, HTML, and XML.
The benefit of web services is that: since all of its communication is in XML, it is not restricted to any operating system or programming languages they are built on hence web service provides platform independence. The wide adoption of this in cloud services, Governments, or Service-oriented architectures, has resulted in expanding the scope of security challenges such as Injection Attacks, phishing, Denial-of-Services (DoS) attacks, and so on. Penetration testing on web services reduces the potential attacks possible due to the vulnerabilities in web services.
In simple language, any basic web services platform is a combination of XML and HTTP.
They can be of:
XML is a language used to communicate in the form of the SOAP message.
Web services use SOAP format to send XML requests. Here, a client sends the request in SOAP and the server responds back in SOAP along with the requested service. SOAP messages basically consist of a Root Envelope element with two child elements named Header and Body: The SOAP header can contain application-specific information about SOAP Message which is considered as metadata of SOAP Message. The SOAP body contains actual SOAP Message which is used for storing a Web Service operation and its parameters. The concrete structure of the SOAP message is used to communicate with a Web Service and the binding information is described in the Web Service Description Language (WSDL).
UDDI contains a list of service providers who registered for the particular web service so request consumers or clients can find for all service providers for any web service in UDDI.
WSDL file describes the way of accessing web services. Each web service is described in WSDL as It contains all the crucial information about the web service to be tested. It is extensible to allow the description of endpoints and their messages regardless of what message formats or network protocols are used to communicate.
Now, Let’s take a look at a SOAP-based Web Service Anatomy:
How does a Web Service Work
Web services depend on
Let’s take a look at a SOAP-based Web Service Anatomy:
Web services contain various components that maintain the standard of communication. When any Service Consumer wants to use web service, they need to request for the web service from the service providers. Here XML data in the SOAP format is used to communicate with the service provider to request any web services as specified in the WSDL file. The WSDL file is given by service providers to service consumers which defines the way of accessing web services. If Service Consumer is not aware of any Web Service Provider it will look for the UDDI which maintains the list of service providers for the particular web service.
SOAP Web Service Structure:
Penetration Testing on Web Services:
To begin penetration testing WebServices, we always require the following as preliminary:
Tools for performing web services penetration testing:
That’s all for now, in the next part of this series, we will learn about the test cases, methods, and tools used for Penetration Testing Web Services.
1 Comment
1. Please explain how test webservices with WS security enabled.
2. How to test webservices using webinspect