WEB SERVICES TESTING
1. WS Information Gathering
The first step to perform a Web Service Test is to determine the WS entry points and the communication schema: this is
described in the WSDL associated with the WS.
2. Testing WSDL
Check the WSDL of the web service to find the entry points and try to invoke an operation that is not used in a standard SOAP Request. Ensure that the WS doesn’t give some confidential information
3. XML Structural Testing
This section discusses the types of attack vectors one could send to a web service in an attempt to assess its reaction to malformed or maliciously-crafted messages. For example, elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML (e.g., with overlapping elements, or with open tags that have no matching close tags). DOM-based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory (as opposed to SAX parsing). For example, oversized attachments can cause an issue with DOM architectures.
4. XML Content-level Testing
Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include
1) SQL Injection or XPath injection
2) Buffer Overflow and
3) Command Injection.
5. HTTP GET parameters/REST Testing
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as
“REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing
malicious content on the HTTP GET string (e.g. extra long parameters (2048 chars), SQL statements/injection (or OS
Injection parameters).
6. Naughty SOAP attachments
This section describes attack vectors for Web Services that accept attachments. The danger exists in the processing of the attachment on the server and redistribution of the file to clients.
7. Replay Testing
This section describes testing replay vulnerabilities of a web service. The threat for a replay attack is that the attacker can assume the identity of a valid user and commit some nefarious act without detection
The first step to perform a Web Service Test is to determine the WS entry points and the communication schema: this is
described in the WSDL associated with the WS.
2. Testing WSDL
Check the WSDL of the web service to find the entry points and try to invoke an operation that is not used in a standard SOAP Request. Ensure that the WS doesn’t give some confidential information
3. XML Structural Testing
This section discusses the types of attack vectors one could send to a web service in an attempt to assess its reaction to malformed or maliciously-crafted messages. For example, elements which contain large numbers of attributes can cause problems with parsers. This category of attack also includes XML documents which are not well-formed XML (e.g., with overlapping elements, or with open tags that have no matching close tags). DOM-based parsing can be vulnerable to DoS due to the fact that the complete message is loaded into memory (as opposed to SAX parsing). For example, oversized attachments can cause an issue with DOM architectures.
4. XML Content-level Testing
Content-level attacks target the server hosting a web service and any applications that are utilized by the service, including web servers, databases, application servers, operating systems, etc. Content-level attack vectors include
1) SQL Injection or XPath injection
2) Buffer Overflow and
3) Command Injection.
5. HTTP GET parameters/REST Testing
Many XML applications are invoked by passing them parameters using HTTP GET queries. These are sometimes known as
“REST-style" Web Services (REST = Representational State Transfer). These Web Services can be attacked by passing
malicious content on the HTTP GET string (e.g. extra long parameters (2048 chars), SQL statements/injection (or OS
Injection parameters).
6. Naughty SOAP attachments
This section describes attack vectors for Web Services that accept attachments. The danger exists in the processing of the attachment on the server and redistribution of the file to clients.
7. Replay Testing
This section describes testing replay vulnerabilities of a web service. The threat for a replay attack is that the attacker can assume the identity of a valid user and commit some nefarious act without detection
Comments
Post a Comment