Difference between revisions of "Scoping a Web Service Test (OWASP-WS-001)"

From OWASP
Jump to: navigation, search
 
(One intermediate revision by one user not shown)
Line 6: Line 6:
 
Proper scoping as well as gathering pre-engagement information is very important to properly execute web services testing. Many modern web services include custom authentication as well as very complex designs and architectures.   
 
Proper scoping as well as gathering pre-engagement information is very important to properly execute web services testing. Many modern web services include custom authentication as well as very complex designs and architectures.   
 
<br>
 
<br>
== Description of the Issue ==  
+
== Scoping Questions ==  
 
<br>
 
<br>
 
The following scoping questions need to be asked prior to any web service test.  Answers to these questions are typically completed by developers responsible for the design, coding and architecture of the web service.
 
The following scoping questions need to be asked prior to any web service test.  Answers to these questions are typically completed by developers responsible for the design, coding and architecture of the web service.
 +
<br>
  
- What type of web service framework  is being used? Examples include Windows Communication Foundation (WCF), Apache Axis/Axis2, Zend.
+
* What type of web service framework  is being used? Examples include Windows Communication Foundation (WCF), Apache Axis/Axis2, Zend.
  
- What type of web services are they? (ex: SOAP, REST or WCF)
+
* What type of web services are they? (ex: SOAP, REST or WCF)
  
- What type of data do the web services provide?  What is the importance of this data from a business perspective?
+
* What type of data do the web services provide?  What is the importance of this data from a business perspective?
  
- Is BPEL being used?
+
* Is BPEL being used?
  
- How many web services are there, and how many web methods for each service exist?
+
* How many web services are there, and how many web methods for each service exist?
  
- Are you able to provide any developer documentation showing the schema of the web service as well as any documentation on APIs if they are being used?
+
* Are you able to provide any developer documentation showing the schema of the web service as well as any documentation on APIs if they are being used?
  
- Can you provide all DISCO/UDDIs if being used specific to any directory listing of your web service (if publicly available)?
+
* Can you provide all DISCO/UDDIs if being used specific to any directory listing of your web service (if publicly available)?
  
- Does the web service use SSL?
+
* Does the web service use SSL?
  
- Does the web service use WS-Security?
+
* Does the web service use WS-Security?
  
- Can you provide all WSDL paths and endpoints?  How many WSDL paths are there?
+
* Can you provide all WSDL paths and endpoints?  How many WSDL paths are there?
  
- Are you using non-SOAP web services such as JSON (RESTful services)?
+
* Are you using non-SOAP web services such as JSON (RESTful services)?
  
- What type of authentication does the web service use?  Examples include: None, HTTP Basic Authentication, NTLM Authentication, NTLM off of Windows (via Ado), Parameter Based Authentication, username/password as parameters (in each call, header/body, etc), custom built or other authentication, and certificate based.
+
* What type of authentication does the web service use?  Examples include: None, HTTP Basic Authentication, NTLM Authentication, NTLM off of Windows (via Ado), Parameter Based Authentication, username/password as parameters (in each call, header/body, etc), custom built or other authentication, and certificate based.
  
- If authentication is used, will you be able to provide credentials for testing the web service?
+
* If authentication is used, will you be able to provide credentials for testing the web service?
  
- Does the Web Service accept attachments via SOAP requests?
+
* Does the Web Service accept attachments via SOAP requests?
  
- Will you be able to provide multiple sample SOAP requests that can be used to demonstrate the full functionality of the web service?
+
* Will you be able to provide multiple sample SOAP requests that can be used to demonstrate the full functionality of the web service?
  
- Does the web service have a custom front end that uses the web service i.e., Java app, custom coded desktop application, Microsoft Silverlight?  Can you provide the jar, XAP, or installation files?
+
* Does the web service have a custom front end that uses the web service i.e., Java app, custom coded desktop application, Microsoft Silverlight?  Can you provide the jar, XAP, or installation files?
  
 
<br>
 
<br>
== Black Box testing and example ==
+
 
'''Testing for Topic X vulnerabilities:''' <br>
+
...<br>
+
'''Result Expected:'''<br>
+
...<br><br>
+
 
== References ==
 
== References ==
 
'''Whitepapers'''<br>
 
'''Whitepapers'''<br>
...<br>
+
* Tom Eston, Josh Abraham, Kevin Johnson "Don't Drop the SOAP: Real World Web Service Testing" http://securestate.com/Insights/Documents/WhitePapers/Dont-Drop-the-SOAP-Whitepaper.pdf
'''Tools'''<br>
+
<br>
...<br>
+

Latest revision as of 09:44, 17 October 2012

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Contents


Brief Summary


Proper scoping as well as gathering pre-engagement information is very important to properly execute web services testing. Many modern web services include custom authentication as well as very complex designs and architectures.

Scoping Questions


The following scoping questions need to be asked prior to any web service test. Answers to these questions are typically completed by developers responsible for the design, coding and architecture of the web service.

  • What type of web service framework is being used? Examples include Windows Communication Foundation (WCF), Apache Axis/Axis2, Zend.
  • What type of web services are they? (ex: SOAP, REST or WCF)
  • What type of data do the web services provide? What is the importance of this data from a business perspective?
  • Is BPEL being used?
  • How many web services are there, and how many web methods for each service exist?
  • Are you able to provide any developer documentation showing the schema of the web service as well as any documentation on APIs if they are being used?
  • Can you provide all DISCO/UDDIs if being used specific to any directory listing of your web service (if publicly available)?
  • Does the web service use SSL?
  • Does the web service use WS-Security?
  • Can you provide all WSDL paths and endpoints? How many WSDL paths are there?
  • Are you using non-SOAP web services such as JSON (RESTful services)?
  • What type of authentication does the web service use? Examples include: None, HTTP Basic Authentication, NTLM Authentication, NTLM off of Windows (via Ado), Parameter Based Authentication, username/password as parameters (in each call, header/body, etc), custom built or other authentication, and certificate based.
  • If authentication is used, will you be able to provide credentials for testing the web service?
  • Does the Web Service accept attachments via SOAP requests?
  • Will you be able to provide multiple sample SOAP requests that can be used to demonstrate the full functionality of the web service?
  • Does the web service have a custom front end that uses the web service i.e., Java app, custom coded desktop application, Microsoft Silverlight? Can you provide the jar, XAP, or installation files?


References

Whitepapers