Hi, Thanks Sandeep for information. Dear group please share if you people come across some good practical stuff on this WebServices security. Now a days even the developers and the top level management are aware of the security concerns and they do hide the WSDL file by thinking it is a secure approach. But in the backend, the vulnerabilities still exists in the form of XML etc.
The following 2 links are helpful theoretically to an extent : http://media.techtarget.com/searchSoftwareQuality/downloads/Ajax_Security_CH_6.pdf http://www.cgisecurity.com/ws/WestbridgeGuideToWebServicesSecurity.pdf Regards, Ravi Gopal On Wed, Jul 7, 2010 at 9:03 AM, Sandeep Thakur <[email protected]> wrote: > You may try SOAPUI as it has the ability to create mock objects. It allows > you to test a Web service without actually connecting to it. The feature is > available by right-clicking a method. > > A example on tool usage.... may not be on this specific scenario but will > give you idea about using SOAPUI to have your test framework for Web > Services Security. WSDL Example using SOAPUI: > > http://one-size-doesnt-fit-all.blogspot.com/2009/08/soapui-for-web-service-testing.html > > The above solution (creating mock objects) may or may not be appropriate > most of the time depending on the complexity of your test cases. However, > one thing we must be aware that we can test any web service by having a > proper WSDL url and / or atleast XSD document. If you only have an XSD > document, then probably you can generate one WSDL dynmically for your ready > reference and testing purpose. You can refer below link for WSDL generator. > > http://www.theprogrammerfactory.com/ > > Once you have sample WSDL generated by using these above kinds of tools you > can test any web service the regular way.. May be again using SOAPUI. Or you > may suggest us the best Web Service Security Testing Tool... :-) > > You can also refer to Universal Testing Method of WebService: > > http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1273738,00.html > > Hope this information helps you. Thanks! > > > Regards > Sandeep Thakur > > On Tue, Jul 6, 2010 at 10:45 AM, Ravi Gopal <[email protected]> wrote: > >> Hi Folks, >> >> The Web Services pen-testing has to be carried out for an application >> where the WSDL is not accessible publicly i.e., the WSDL Scanning is ruled >> out. >> I have gone through different forums/docs etc but did not get proper >> information on how to do it for the scenario mentioned above (without WSDL >> file). >> >> So your valuable inputs are required for other ways of doing WebServices >> security assessment. A practical example based discussion would be more >> useful. >> >> >> >> Regards, >> Ravi Gopal >> >> -- >> You received this message because you are subscribed to the Google Groups >> "nforceit" group. >> To post to this group, send an email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<nforceit%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/nforceit?hl=en-GB. >> > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
