Web Service Assessment

Web services are designed to integrate remote systems into business processes or data; these services can also provide direct access to an attacker.

Web services are becoming more of an attack vector than ever before. It is critical that web services are assessed to determine if these services can be abused by attackers. SecureState's web service testing methodology goes deep in identifying vulnerabilities and provides in-depth coverage for web service testing from a security perspective instead of just a functional perspective.


If your application interacts with any type of Web Services, your organization needs to perform a Web Services Assessment in order to ensure proper security. Web Services also need to be tested quite differently than traditional web applications.


As a result of their research, SecureState’s penetration testers, in collaboration with other security industry experts, have modified the OWASP Testing Guide for testing Web Services, following the Penetration Testing Execution Standard (PTES), which is being discussed in the security community as the standard for Penetration Testing. The Web Services testing section of the upcoming OWASP Testing Guide v4 will include more details of this new methodology as well as testing examples.

Approach and Methodology

SecureState will assess a client's SOAP or REST-based web services for many different types of vulnerabilities that are commonly found in web services and perform security testing that is specific to web services, including but not limited to XML structural testing, XML content-level testing, HTTP GET parameters/REST testing, malicious SOAP attachments, replay testing, and web service MITM testing. SecureState has developed a web service testing methodology and toolset in partnership with the OWASP Testing Project designed to test web services.

To start, SecureState works with the client to establish the rules and scope of the engagement and to exchange contact information for both parties. SecureState provides a detailed Project Charter containing information on scope and everything that will be required to conduct the testing. SecureState also requests that a web service questionnaire be filled out by the client who provides detailed information on how the web services work.

Next, SecureState identifies all WSDL or WCF locations and paths. In addition, SecureState determines authentication being used by the web service and gathers authentication and valid sample SOAP requests from the client. Tools such as Burp Suite and SoapUI are configured to interact with the web service. Once our Team Members have gathered the necessary information, we then determine the different threats to the web service. SecureState looks at the business impact of the data being transferred by the web service. Once this business impact is determined, scenarios are developed and attacks are created which are used when testing the web services.

SecureState then performs detailed authentication testing, transport layer testing, testing of the web service management interfaces, and testing the client application (such as Microsoft SilverLight) for security flaws (if applicable).

Finally, SecureState exploits the identified vulnerabilities in the web service using various testing techniques. This may include fuzzing XML methods and content, HTTP GET/POST testing, SOAP attachment testing, reply testing, and other data manipulation attacks.

Get Started!