Testing for Web Services
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
4.8 Web Services Testing
"By 2005 Web services shall have reopened over 70% of the attack paths against internet-connected systems, which were closed by network firewalls in the 1990's" -Gartner Oct 2002
SOA (Service Orientated Architecture)/Web services applications are up-and-coming systems which are enabling businesses to interoperate and are growing at an unprecedented rate. Webservice "clients" are generally not user web front-ends but other backend servers. Webservices are exposed to the net like any other service but can be used on HTTP, FTP, SMTP, MQ among other transport protocols.
The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure and leakage, but web services also have unique XML/parser related vulnerabilities, which are discussed here as well.
OWASP Testing Guide v2