Web Services/ API Penetration Testing Part - 1


Hi Readers, today we will learn about another interesting part of Penetration Testing, this revolves around Security assessments of web services.

To start with let’s take a look at what web services are made of:

A web service is software composed of standardized XML messaging system.

The benefit of web services are since all of its communication is in XML, they are not restricted to any  operating system or programming languages

They are built on Web services are built on top of open standards such as TCP/IP, HTTP, Java, HTML, and XML.

Anatomy of Web Services

In simple language, any basic web services platform is a combination of XML and HTTP.
They can be of:
  • ·         SOAP (Simple Object Access Protocol)
  • ·         UDDI (Universal Description, Discovery and Integration)
  • ·         WSDL (Web Services Description Language)


How does a Web Service Work

Web services depends on
•             XML to tag the data ( as markup and syntax)
•             SOAP to transfer a message
•             WSDL to describe the availability of service.



Penetration Testing on Web Services:

To begin penetration testing WebServices, we always require the following as preliminary:
1)            Sample API file ( WSDL/ SOAP etc)
2)            Sample request/ response ( to understand the values and data passing)
3)            Entry points/ URLs

Tools for performing web services penetration testing:
  • ·         Fiddler
  • ·         Burp Suite
  • ·         Acunetix/IBM Security AppScan
  • ·         ZAP Proxy
  •          Curl
  •           SOAP UI

Comments

  1. I feel satisfied to read your blog, you have been delivering a useful & unique information to our vision even you have explained the concept as deep clean without having any uncertainty, keep blogging.

    ReplyDelete
  2. Very useful post and I think it is rather easy to see from the other comments as well that this post is well written and useful. I bookmarked this blog a while ago because of the useful content and I am never being disappointed. Keep up the good work..
    software testing outsourcing services
    QA Outsourcing Sevices
    Performance testing Services
    Automation testing services

    ReplyDelete
  3. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. Pentesting Services

    ReplyDelete

Post a Comment

Popular posts from this blog

Stored XSS in Wonder CMS- CVE-2017-14522

Host Header Injection In Wonder CMS - CVE-2017-14523

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529