Testing WSDL (OWASP-WS-002)

Revision as of 06:33, 22 August 2008 by Mmeucci (talk | contribs)

Jump to: navigation, search

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Brief Summary

Once that the WSDL is identified, we can test that entry point.

Description of the Issue

Check the WSDL of the web service to find the entry points and try to invoke an operation that is not used in a standard SOAP Request. Ensure that the WS doesn’t give you some confidential information.

Black Box testing and example

Given the Standard SOAP message that the Web services supplier waits from Web services consumer, you can craft a particular message that invoke some hidden operations. Example:
A good example is WebGoat 5.0 WSDL Scanning lesson. The following is a screenshot from that lesson:


Here we have an interface that invokes a Web Service using only Account Number, FirstName, LastName, and Login Count as parameters.
If you look at the relative WSDL you will find:

<wsdl:portType name="WSDLScanning">
<wsdl:operation name="getFirstName" parameterOrder="id">
<wsdl:input message="impl:getFirstNameRequest" name="getFirstNameRequest"/>
<wsdl:output message="impl:getFirstNameResponse" name="getFirstNameResponse"/>

</wsdl:operation> <wsdl:operation name="getLastName" parameterOrder="id"> <wsdl:input message="impl:getLastNameRequest" name="getLastNameRequest"/> <wsdl:output message="impl:getLastNameResponse" name="getLastNameResponse"/> </wsdl:operation>

<wsdl:operation name="getCreditCard" parameterOrder="id"> <wsdl:input message="impl:getCreditCardRequest" name="getCreditCardRequest"/> <wsdl:output message="impl:getCreditCardResponse" name="getCreditCardResponse"/> </wsdl:operation>

<wsdl:operation name="getLoginCount" parameterOrder="id"> <wsdl:input message="impl:getLoginCountRequest" name="getLoginCountRequest"/> <wsdl:output message="impl:getLoginCountResponse" name="getLoginCountResponse"/> </wsdl:operation> </wsdl:portType> ... </pre> We find 4 operations and not only 3. Using WebScarab Web Service plugin, we can craft a SOAP Request to get the Credit Card given a specific ID.