SecureState will assess a client's SOAP or REST-based web services for many different types of vulnerabilities that are commonly found in web services and perform security testing that is specific to web services, including but not limited to XML structural testing, XML content-level testing, HTTP GET parameters/REST testing, malicious SOAP attachments, replay testing, and web service MITM testing. SecureState has developed a web service testing methodology and toolset in partnership with the OWASP Testing Project designed to test web services.
To start, SecureState works with the client to establish the rules and scope of the engagement and to exchange contact information for both parties. SecureState provides a detailed Project Charter containing information on scope and everything that will be required to conduct the testing. SecureState also requests that a web service questionnaire be filled out by the client who provides detailed information on how the web services work.
Next, SecureState identifies all WSDL or WCF locations and paths. In addition, SecureState determines authentication being used by the web service and gathers authentication and valid sample SOAP requests from the client. Tools such as Burp Suite and SoapUI are configured to interact with the web service. Once our Team Members have gathered the necessary information, we then determine the different threats to the web service. SecureState looks at the business impact of the data being transferred by the web service. Once this business impact is determined, scenarios are developed and attacks are created which are used when testing the web services.
SecureState then performs detailed authentication testing, transport layer testing, testing of the web service management interfaces, and testing the client application (such as Microsoft SilverLight) for security flaws (if applicable).
Finally, SecureState exploits the identified vulnerabilities in the web service using various testing techniques. This may include fuzzing XML methods and content, HTTP GET/POST testing, SOAP attachment testing, reply testing, and other data manipulation attacks.