SecurityResearch-101

Web Services and API Penetration Testing Part #2 Welcome readers to Part 2 of Web Services Penetration Testing. In this part, we will take a quick look into the various test cases, tools and method for security testing of Web Services. Black box Web Services Penetration Testing pre-requisite: è Web Service Description Language (WSDL) file Grey box Web Services Penetration Testing pre-requisite: è Sample requests/responses for methods along with WSDL file. Stages of Penetration Testing of Web Service: 1.        Information Gathering 2.        Black Box 3.        Google hacking (using dorks to discover web services for websites hosted over network) 4.        UDDI 5.        Web Service Discovery (If no WSDL provided) 6.        Authentication Type Discovery Testing Methodology: è Automated Testing Tools ·          SoapUI Pro ·          OWASP ZAP ·          IBM AppScan ·          HP Webinspect ·          WSBang ·          WSMap è Manual

Hi Readers, today we will learn about another interesting part of Penetration Testing, this revolves around Security assessments of web services. To start with let’s take a look at what web services are made of: A web service is software composed of standardized XML messaging system. The benefit of web services are since all of its communication is in XML, they are not restricted to any  operating system or programming languages They are built on Web services are built on top of open standards such as TCP/IP, HTTP, Java, HTML, and XML. Anatomy of Web Services In simple language, any basic web services platform is a combination of XML and HTTP. They can be of: ·          SOAP (Simple Object Access Protocol) ·          UDDI (Universal Description, Discovery and Integration) ·          WSDL (Web Services Description Language) How does a Web Service Work Web services depends on •             XML to tag the data ( as markup and syntax) •