Web Service (XML Interpreter)
This article is part of the OWASP Testing Guide v4 (the current status is:DRAFT).
OWASP Testing Guide v4 Table of Contents [DRAFT] At the moment the The entire OWASP Testing Guide v3 can be downloaded here.
4.10 Web Service Testing
Web Services are implemented by adding XML onto layer 7 applications such as HTTP. For example, the most common application that is used in web services is HTTP. The XML is constructed in a specific manner so that the sender and receiver of the message can understand its contents. The XML structure is known as SOAP, which stands for Simple Object Access Protocol. The method in which SOAP is used is not the same manner that web applications are used. Rather than the traditional request response, web services should be thought of more like SMTP. SOAP is more like SMTP because the server can easily forward the SOAP message or envelope onto another web service in-order to receive a response.
Any data being transmitted between a user and web services should be reviewed to ensure that all data is protected from being intercepted by a malicious attacker. One common misconception is to use BASIC Authentication to restrict access to other authorized users. Depending on the architecture of the web service and the nature of its use, BASIC Authentication may not be acceptable. Let us assume there is a web service that is exposed to the Internet and utilizes BASIC Authentication. If a use of the web service is done from a mobile device, then it would be possible to intercept the credentials being used. This could be done by performing a man-in-the-middle (MiTM) based attack.
The following articles describe details on how to conduct a web service test:
4.10.1 Scoping a Web Service Test (OWASP-WS-001) 4.10.2 WS Information Gathering (OWASP-WS-002) 4.10.3 WS Authentication Testing (OWASP-WS-003) 4.10.4 WS Management Interface Testing (OWASP-WS-004) 4.10.5 Weak XML Structure Testing (OWASP-WS-005) 4.10.6 XML Content-Level Testing (OWASP-WS-006) 4.10.7 WS HTTP GET Parameters/REST Testing (OWASP-WS-007) 4.10.8 WS Naughty SOAP Attachment Testing (OWASP-WS-008) 4.10.9 WS Replay/MiTM Testing (OWASP-WS-009) 4.10.10 WS BEPL Testing (OWASP-WS-010)
Key Points Regarding Web Services
SOA (Service Orientated Architecture)/Web services applications are systems which are enabling businesses to inter-operate and are growing at an unprecedented rate. Web services are typically used in modern mobile applications utilizing SOAP or RESTful protocols. Webservice "clients" are generally not user web front-ends but other backend servers. Webservices are exposed to the net like any other service but can be used on HTTP, FTP, SMTP, MQ among other transport protocols. The Web Services Framework utilizes the HTTP protocol (as standard Web Application) in conjunction with XML, SOAP, WSDL and UDDI technologies:
- The "Web Services Description Language" (WSDL) is used to describe the interfaces of a service.
- The "Simple Object Access Protocol" (SOAP) provides the means for communication between Web Services and Client Applications with XML and HTTP.
- "Universal Description, Discovery and Integration" (UDDI) is used to register and publish Web Services and their characteristics so that they can be found from potential clients.
The vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities, which are discussed here as well.
Differences in Web Service Standards
- Tom Eston, Josh Abraham, Kevin Johnson "Don't Drop the SOAP: Real World Web Service Testing" http://securestate.com/Insights/Documents/WhitePapers/Dont-Drop-the-SOAP-Whitepaper.pdf