Difference between revisions of "Testing for Web Services"

From OWASP
Jump to: navigation, search
 
(10 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
Webservice "clients" are generally not user web front-ends but other backend servers.
 
Webservice "clients" are generally not user web front-ends but other backend servers.
 
Webservices are exposed to the net like any other service but can be used on HTTP, FTP, SMTP, MQ among other transport protocols.
 
Webservices are exposed to the net like any other service but can be used on HTTP, FTP, SMTP, MQ among other transport protocols.
The Web Services Framework utilizes HTTP protocol (as standard Web Application) in conjunction with XML, SOAP, WSDL and UDDI  technologies:
+
The Web Services Framework utilizes the HTTP protocol (as standard Web Application) in conjunction with XML, SOAP, WSDL and UDDI  technologies:
 
* The "Web Services Description Language" (WSDL) is used to describe the interfaces of a service.
 
* The "Web Services Description Language" (WSDL) is used to describe the interfaces of a service.
 
* The "Simple Object Access Protocol" (SOAP) provides the means for communication between Web Services and Client Applications with XML and HTTP.
 
* The "Simple Object Access Protocol" (SOAP) provides the means for communication between Web Services and Client Applications with XML and HTTP.
 
* "Universal Description, Discovery and Integration" (UDDI) is used to register and publish Web Services and their characteristics so that they can be found from potential clients.
 
* "Universal Description, Discovery and Integration" (UDDI) is used to register and publish Web Services and their characteristics so that they can be found from potential clients.
  
The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure and leakage, but web services also have unique XML/parser related vulnerabilities, which are discussed here as well.
+
The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities, which are discussed here as well.
  
The following articles describes the web services testing:
+
The following articles describe the web services testing:
  
[[Testing: WS Information Gathering|4.10.1 WS Information Gathering]]<br>
+
[[Testing: WS Information Gathering (OWASP-WS-001)|4.10.1 WS Information Gathering (OWASP-WS-001)]]<br>
[[Testing WSDL|4.10.2 Testing WSDL]]<br>  
+
[[Testing WSDL   (OWASP-WS-002)|4.10.2 Testing WSDL   (OWASP-WS-002)]]<br>  
[[Testing for XML Structural|4.10.3 XML Structural Testing ]]<br>
+
[[Testing for XML Structural (OWASP-WS-003)|4.10.3 XML Structural Testing (OWASP-WS-003) ]]<br>
[[Testing for XML Content-Level|4.10.4 XML Content-level Testing ]]<br>
+
[[Testing for XML Content-Level (OWASP-WS-004)|4.10.4 XML Content-level Testing (OWASP-WS-004) ]]<br>
[[Testing for WS HTTP GET parameters/REST attacks|4.10.5 HTTP GET parameters/REST Testing ]]<br>
+
[[Testing for WS HTTP GET parameters/REST attacks (OWASP-WS-005)|4.10.5 HTTP GET parameters/REST Testing (OWASP-WS-005) ]]<br>
[[Testing for Naughty SOAP Attachments|4.10.6 Naughty SOAP attachments ]]<br>
+
[[Testing for Naughty SOAP Attachments   (OWASP-WS-006)|4.10.6 Naughty SOAP attachments   (OWASP-WS-006) ]]<br>
[[Testing for WS Replay|4.10.7 Replay Testing ]]<br>
+
[[Testing for WS Replay   (OWASP-WS-007)|4.10.7 Replay Testing   (OWASP-WS-007) ]]<br>

Latest revision as of 19:00, 15 December 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here


4.10 Web Services Testing


SOA (Service Orientated Architecture)/Web services applications are up-and-coming systems which are enabling businesses to interoperate and are growing at an unprecedented rate. Webservice "clients" are generally not user web front-ends but other backend servers. Webservices are exposed to the net like any other service but can be used on HTTP, FTP, SMTP, MQ among other transport protocols. The Web Services Framework utilizes the HTTP protocol (as standard Web Application) in conjunction with XML, SOAP, WSDL and UDDI technologies:

  • The "Web Services Description Language" (WSDL) is used to describe the interfaces of a service.
  • The "Simple Object Access Protocol" (SOAP) provides the means for communication between Web Services and Client Applications with XML and HTTP.
  • "Universal Description, Discovery and Integration" (UDDI) is used to register and publish Web Services and their characteristics so that they can be found from potential clients.

The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities, which are discussed here as well.

The following articles describe the web services testing:

4.10.1 WS Information Gathering (OWASP-WS-001)
4.10.2 Testing WSDL (OWASP-WS-002)
4.10.3 XML Structural Testing (OWASP-WS-003)
4.10.4 XML Content-level Testing (OWASP-WS-004)
4.10.5 HTTP GET parameters/REST Testing (OWASP-WS-005)
4.10.6 Naughty SOAP attachments (OWASP-WS-006)
4.10.7 Replay Testing (OWASP-WS-007)