Web Services/ API Penetration Testing Part - 2

-

Web Services and API Penetration Testing Part #2

Welcome readers to Part 2 of Web Services Penetration Testing.
In this part, we will take a quick look into the various test cases, tools and method for security testing of Web Services.
Black box Web Services Penetration Testing pre-requisite:
è Web Service Description Language (WSDL) file
Grey box Web Services Penetration Testing pre-requisite:
è Sample requests/responses for methods along with WSDL file.
Stages of Penetration Testing of Web Service:
1.       Information Gathering
2.       Black Box
3.       Google hacking (using dorks to discover web services for websites hosted over network)
4.       UDDI
5.       Web Service Discovery (If no WSDL provided)
6.       Authentication Type Discovery
Testing Methodology:
è Automated Testing Tools
·         SoapUI Pro
·         OWASP ZAP
·         IBM AppScan
·         HP Webinspect
·         WSBang
·         WSMap

è Manual Testing Tools
·         Soap UI Free
·         Burp Suite Pro
·         Postman ( with burp)
è Extensions:
·         SAML Editor
·         SAML Encoder / Decoder
·         WSDL Wizard
·         Wsdler
·         SOA Client
Test cases to find in web services:
·         Fuzzing
·         XSS /SQLi/ Malformed XML
·         File Upload
·         Xpath Injection
·         XML Bomb (DoS)
·         Authentication based attacks
·         Replay attacks
·         Session fixation
·         XML Signature wrapping
·         Session timeout
·         Host Cipher Support/ Valid Certificate/ Protocol Support
·         Hashing Algorithm Support
Let’s now take a look on how to perform a automated scan using SOAP UI and get a preliminary first hand security report of the web services.
Using SOAP UI Pro for security assessments:
1.       Fire up SOAP UI and create a functional testcase


2.       Add security test

3.       Select the “Auto” mode to generate default Security Scans and Assertions for the TestSteps in your TestCase and press "Next":

4.       Press OK to create the Security Test with the described configuration and open the Security Test window:


5.       Now run the security test


6.       Post the security scan, you can dig deeper into the output or generate reports also for your assessment.

Practice VMS for vulnerable web services:
Virtual Machines
                     OWASP Mutillidae
                     PenTester Lab: Axis2 Web Service and Tomcat Manager
                     DVWS
                     OWASP WebGoat

Part 3 of this series will focus on using burp suite+ postman along with SOAP UI for manual testing of web services. Stay hooked.
References and sources
 https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet
https://www.soapui.org/security-testing/getting-started.html   
               

Comments

  1. Harish5 July 2018 at 15:35

    Nice Blog.

    Manual Testing Training in Chennai | Manual Testing Courses in Chennai

    ReplyDelete
  2. saishree30 October 2019 at 11:28

    great blog. thanks for sharing.
    test cases for railway reservation system
    integer a=456 b c d=10
    hack wifi password ubuntu
    false position method c++
    python telephonic interview questions
    uncaught (in promise) syntaxerror: unexpected end of json input
    how to hack a android phone connected on a same wifi router
    zycus interview questions for business development
    general chemistry interview questions
    rollover image html

    ReplyDelete
  3. saishree30 October 2019 at 11:32

    great blog.
    test cases for railway reservation system
    integer a=456 b c d=10
    hack wifi password ubuntu
    false position method c++
    python telephonic interview questions
    uncaught (in promise) syntaxerror: unexpected end of json input
    how to hack a android phone connected on a same wifi router
    zycus interview questions for business development
    general chemistry interview questions
    rollover image html

    ReplyDelete
  4. Anand Shankar12 March 2020 at 12:50

    Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better. The post is written in very a good manner and it contains many useful information for me. Thank you very much and will look for more postings from you.

    digital marketing blog
    skartec's digital marketing blog
    skartec digital marketing academy
    skartec digital marketing
    best seo service in chennai
    best seo services in chennai

    ReplyDelete
  5. Securium Solutions Online Cybersecurity Training18 January 2021 at 16:06

    Web application penetration testing services are performed on such applications that allow checking the vulnerabilities present in the market and fix these errors before an attacker finds a way to harm the system and configured data in it.

    ReplyDelete

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more