Testing for Web Services

 4.10 Web Services Testing 

SOA (Service Orientated Architecture)/Web services applications are up-and-coming systems which are enabling businesses to interoperate and are growing at an unprecedented rate. Webservice "clients" are generally not user web front-ends but other backend servers. Webservices are exposed to the net like any other service but can be used on HTTP, FTP, SMTP, MQ among other transport protocols. The Web Services Framework utilizes HTTP protocol (as standard Web Application) in conjunction with XML, SOAP, WSDL and UDDI technologies: interfaces of a service. There are two players – Web services consumer and Web services supplier. All interaction between these two players is carried out using the building blocks described above.
 * The "Web Services Description Language" (WSDL) is used to describe the
 * The "Simple Object Access Protocol" (SOAP) provides the means for communication between Web Services and Client Applications with XML and HTTP.
 * "Universal Description, Discovery and Integration" (UDDI) is used to register and publish Web Services and their characteristics so that they can be found from potential clients.

The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure and leakage, but web services also have unique XML/parser related vulnerabilities, which are discussed here as well.

In the following articles it is described:

4.10.1 XML Structural Testing 4.10.2 XML Content-level Testing 4.10.3 HTTP GET parameters/REST Testing 4.10.4 Naughty SOAP attachments 4.10.5 Replay Testing