Web Services and API Penetration Testing Part #2
Tabnabbing – An art of phishing
January 9, 2018
Time to Disable TP-Link Home WiFi Router (CVE-2018-11714)
June 4, 2018
Welcome readers to Part 2 of Web Services Penetration Testing.
In this part, we will take a quick look into the various test cases, tools, and methods for security testing of Web Services.
Penetration Testing on Web Services:
Testing web services are an important aspect because an attacker potentially is able to attack vulnerabilities within the web service to bypass controls within the application. During penetration testing, it often found that these services are configured outside the protections within the web applications. For web services, it is necessary to ensure that any data being transmitted between a user and web services is protected from being intercepted by malicious attackers. There are various vulnerabilities can be found due to lack of security implemented on web services such as:
- SQL/OS command injection
- Authorizations issues
- WSDL Enumeration
- Broken Access Control
- Xpath Injection
- Session Tampering
- Bruteforce
- Directory Traversal
- Content Spoofing
- Information Disclosure
Black box Web Services Penetration Testing pre-requisite:
A Web Service Description Language (WSDL) file would be required to perform black-box Webservice API penetration testing
Grey box Web Services Penetration Testing pre-requisite:
In case of grey box webservice API penetration testing a Sample requests and responses for methods along with the WSDL file is required to perform the webservice API penetration testing.
Stages of Penetration Testing of Web Service:
- Information Gathering
- Black Box
- Google hacking (using dorks to discover web services for websites hosted over a network)
- UDDI
- Web Service Discovery (If no WSDL provided)
- Authentication Type Discovery
Web Service Penetration Testing Tools: Tools play an important role in performing penetration testing on web services. We have two types of testing tools Automated and manual to perform API security penetration testing.
Automated Testing Tools
- SoapUI Pro
- OWASP ZAP
- IBM AppScan
- HP Webinspect
- WSBang
- WSMap
- WSDigger
Manual Testing Tools
- Soap UI Free
- Burp Suite Pro
- Postman ( with burp)
Extensions:
- SAML Editor
- SAML Encoder / Decoder
- WSDL Wizard
- Wsdler
- SOA Client
Test cases to find in web services:
- Fuzzing
- XSS /SQLi/ Malformed XML
- File Upload
- Xpath Injection
- XML Bomb (DoS)
- Authentication based attacks
- Replay attacks
- Session fixation
- XML Signature wrapping
- Session timeout
- Host Cipher Support/ Valid Certificate/ Protocol Support
- Hashing Algorithm Support
Let’s now take a look at how to perform an automated scan using SOAP UI and get a preliminary first-hand security report of the web services.
Using SOAP UI Pro for security assessments:
1. Fire up SOAP UI and create a functional test case
2. Add security test
3. Select the “Auto” mode to generate default Security Scans and Assertions for the TestSteps in your TestCase and press “Next”:
4. Press OK to create the Security Test with the described configuration and open the Security Test window:
5. Now run the security test
6. Post the security scan, you can dig deeper into the output or generate reports also for your assessment.
Practice VMS for vulnerable web services:
- OWASP Mutillidae
- PenTester Lab: Axis2 Web Service and Tomcat Manager
- DVWS
- OWASP WebGoat
Part 3 of this series will focus on using a burp suite+ postman along with SOAP UI for manual testing of web services.
Stay hooked.
References and sources
https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet
https://www.soapui.org/security-testing/getting-started.html
1 Comment
Hello, Securelayer7 Team,
Thank you for detailed information, waiting for Part 3 of this series will focus on using burp suite+ postman along with SOAP UI for manual testing of web services.