I understand Vulnerabilities might still exist in the form of XML. However, this is where various application security strategy needs arises. As a developer, anyone might focus on functional aspects and ofcourse can enhance the codes incase required & fix security issues. But at certain point, a developer or management also would know its too much of programming for security rather than the actual functioning of the software. And end-users might simply does not wish to do this way but look for some workarounds. The point where am coming to now is......
*** In my opinion, security engineer always need not recommend proper remediations in the code itself rather if he see there are multiple set of vulnerabilities which needs to addressed with respect to this kind of category where attack vector is still unknown, then find out best way of mitigating these risks rather spending time and efforts on remediation. The whole idea behind this is to create a *culture for security engineer and their processes. *This subject or area of discussion has lot more to explore as XML based services or functions are not yet secured or in other words.. the security strategies by developers or experts are not sufficient as the attack vector is increasing and is unknown yet for latest happenings... The possible solution in such scenarios is to have XML gateway along with Webapplication layer firewall. XML gateway protects from malicious traffic and controls access to your services. It is built from the ground up to provide a security layer to Web Services. Additionally, I would like to share one more free tool apart from SOAPUI shared by Sandeep, is the SOAPbox, which helped a lot for me. http://www.vordel.com/products/soapbox/ I didnt had such thought yet about generating WSDL if we dont have one. Its now a new direction for me in testing process which I shall implement and see / measure the results. Thanks for this idea. Regards Amardeep T On Thu, Jul 8, 2010 at 11:16 AM, Ravi Gopal <[email protected]> wrote: > Hi, > > Thanks Sandeep for information. Dear group please share if you people come > across some good practical stuff on this WebServices security. Now a days > even the developers and the top level management are aware of the security > concerns and they do hide the WSDL file by thinking it is a secure approach. > But in the backend, the vulnerabilities still exists in the form of XML etc. > > The following 2 links are helpful theoretically to an extent : > > > http://media.techtarget.com/searchSoftwareQuality/downloads/Ajax_Security_CH_6.pdf > http://www.cgisecurity.com/ws/WestbridgeGuideToWebServicesSecurity.pdf > > Regards, > Ravi Gopal > > > On Wed, Jul 7, 2010 at 9:03 AM, Sandeep Thakur <[email protected]>wrote: > >> You may try SOAPUI as it has the ability to create mock objects. It allows >> you to test a Web service without actually connecting to it. The feature is >> available by right-clicking a method. >> >> A example on tool usage.... may not be on this specific scenario but will >> give you idea about using SOAPUI to have your test framework for Web >> Services Security. WSDL Example using SOAPUI: >> >> http://one-size-doesnt-fit-all.blogspot.com/2009/08/soapui-for-web-service-testing.html >> >> The above solution (creating mock objects) may or may not be appropriate >> most of the time depending on the complexity of your test cases. However, >> one thing we must be aware that we can test any web service by having a >> proper WSDL url and / or atleast XSD document. If you only have an XSD >> document, then probably you can generate one WSDL dynmically for your ready >> reference and testing purpose. You can refer below link for WSDL generator. >> >> http://www.theprogrammerfactory.com/ >> >> Once you have sample WSDL generated by using these above kinds of tools >> you can test any web service the regular way.. May be again using SOAPUI. Or >> you may suggest us the best Web Service Security Testing Tool... :-) >> >> You can also refer to Universal Testing Method of WebService: >> >> http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1273738,00.html >> >> Hope this information helps you. Thanks! >> >> >> Regards >> Sandeep Thakur >> >> On Tue, Jul 6, 2010 at 10:45 AM, Ravi Gopal <[email protected]> wrote: >> >>> Hi Folks, >>> >>> The Web Services pen-testing has to be carried out for an application >>> where the WSDL is not accessible publicly i.e., the WSDL Scanning is ruled >>> out. >>> I have gone through different forums/docs etc but did not get proper >>> information on how to do it for the scenario mentioned above (without WSDL >>> file). >>> >>> So your valuable inputs are required for other ways of doing WebServices >>> security assessment. A practical example based discussion would be more >>> useful. >>> >>> >>> >>> Regards, >>> Ravi Gopal >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "nforceit" group. >>> To post to this group, send an email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]<nforceit%[email protected]> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/nforceit?hl=en-GB. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "nforceit" group. >> To post to this group, send an email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<nforceit%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/nforceit?hl=en-GB. >> > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
