Difference between revisions of "Web Service Security Testing Cheat Sheet"

From OWASP
Jump to: navigation, search
m
(Migration to GitHub of the project)
 
(2 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
<br/>Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
__TOC__{{TOC hidden}}
 
= Web Services Security Testing Cheat Sheet Introduction  =
 
  
As Web Services are incorporated into application environments, having a good checklist while performing security assessments can help a penetration tester better identify web service related vulnerabilities and associated risk.
+
An [https://github.com/OWASP/CheatSheetSeries/issues/13 open discussion] is pending about to exclude or not this cheat sheet of the V2 of the project.
 
 
== Purpose ==
 
 
 
This document is intended to be an easy to use checklist while performing assessments against web services. The penetration tester is advised to incorporate this into his or her corporate testing methodology as a supplemental checklist or is free to use this checklist as the sole testing guideline.
 
 
 
== Checklist ==
 
 
 
===Pre-Assessment===
 
<p>
 
* For a Black Box assessment, at the very least, the penetration tester will need the Web Service Description Language (WSDL) file<br />
 
* For a Grey Box assessment, the penetration tester will need sample requests for each method employed by the web service(s), along with the Web Service Description Language (WSDL) file
 
</p>
 
 
 
===Information Gathering===
 
<p>
 
* Black Box<br />
 
** Google hacking<br />
 
*** Inurl:jws?wsdl<br />
 
*** Inurl:asmx?wsdl<br />
 
*** Inurl:aspx?wsdl<br />
 
*** Inurl:ascx?wsdl<br />
 
*** Inurl:ashx?wsdl<br />
 
*** Inurl:dll?wsdl<br />
 
*** Inurl:exe?wsdl<br />
 
*** Inurl:php?wsdl<br />
 
*** Inurl:pl?wsdl<br />
 
*** Inurl:?wsdl<br />
 
*** Filetype:jws<br />
 
*** Filetype:asmx<br />
 
*** Filetype:ascx<br />
 
*** Filetype:aspx<br />
 
*** Filetype:ashx<br />
 
*** Filetype:dll<br />
 
*** Filetype:exe<br />
 
*** Filetype:php<br />
 
*** Filetype:pl<br />
 
** WSDL file contents<br />
 
*** Methods<br />
 
*** Data Types<br />
 
** UDDI<br />
 
*** Web Service Discovery (If no WSDL provided)<br />
 
** Authentication Type Discovery<br />
 
** REST vs. SOAP<br />
 
** Baseline Requests<br />
 
* Grey Box<br />
 
** WSDL file contents<br />
 
*** Methods<br />
 
*** Data Types<br />
 
** Sample/Baseline Requests<br />
 
*** Methods<br />
 
*** Data Types<br />
 
*** Types of Information Being Requested/Consumed<br />
 
** Authentication Type Discovery<br />
 
** REST vs. SOAP
 
</p>
 
 
 
===Testing Phase===
 
 
 
<p>
 
* Baseline Tests<br />
 
** Normal Request(s)/Response(s) for Each Method <br />
 
* Automated Tests<br />
 
** Tools<br />
 
*** SoapUI Pro<br />
 
*** IBM AppScan<br />
 
*** HP Webinspect<br />
 
*** WSBang<br />
 
*** WSMap<br />
 
* Vulnerability Discovery<br />
 
** Debug output<br />
 
** Fuzzing<br />
 
** XSS<br />
 
** SQLi<br />
 
** Malformed XML<br />
 
** Malicious Attachment/File Upload<br />
 
** Xpath Injection<br />
 
** Improper Boundary Checking<br />
 
** XML Bomb (DoS)<br />
 
** Basic Authentication<br />
 
** SAML/OAuth/OpenID authentication<br />
 
*** Authentication based attacks<br />
 
**** Replay attacks<br />
 
**** Session fixation<br />
 
**** XML Signature wrapping<br />
 
**** Inadequate session timeout settings<br />
 
*** Improper implementation<br />
 
** SSL/TLS Use<br />
 
** Host Cipher Support<br />
 
** Valid Certificate<br />
 
** Protocol Support<br />
 
** Hashing Algorithm Support<br />
 
** Deprecated cipher suites that are offered<br />
 
*** External resources<br />
 
**** SSL Labs<br />
 
*** Internal resources<br />
 
**** SSLscan<br />
 
**Authorization Bypass<br />
 
** Schema Implementation Weaknesses<br />
 
** Non-encoded Output<br />
 
* Manual Tests<br />
 
** Tools<br />
 
*** Soap UI Free<br />
 
*** Burp Suite Pro<br />
 
**** Suggested extensions:<br />
 
***** SAML Editor<br />
 
***** SAML Encoder / Decoder<br />
 
***** WSDL Wizard<br />
 
***** Wsdler<br />
 
*** SOA Client<br />
 
*** WSDigger (deprecated)<br />
 
** Vulnerability Discovery<br />
 
*** Debug output<br />
 
** Fuzzing<br />
 
*** XSS<br />
 
*** SQLi<br />
 
*** Malformed XML<br />
 
*** Malicious Attachment/File Upload<br />
 
*** Xpath Injection<br />
 
*** Improper Boundary Checking<br />
 
*** XML Bomb (DoS)<br />
 
*** Basic Authentication<br />
 
*** SSL/TLS Failback
 
</p>
 
 
 
==Testing REST Based Web Services==
 
 
 
There is already a great cheat sheet on how to properly test the security of REST based web services. You can find the guide at the following location: <br />
 
[https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet] https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet
 
 
 
==Testing Summary==
 
 
 
<p>While using automated tools, the penetration tester will need to validate all reported findings manually and perform due diligence false positive analysis for each vulnerability reported. During the manual phase of testing, the penetration tester will look for the existence of vulnerabilities missed by the automated tools and will validate automated tool output as necessary.</p>
 
 
 
==References==
 
 
 
<p>[http://www.securestate.com/Insights/Documents/WhitePapers/Dont-Drop-the-SOAP-Whitepaper.pdf] http://www.securestate.com/Insights/Documents/WhitePapers/Dont-Drop-the-SOAP-Whitepaper.pdf<br />
 
[http://resources.infosecinstitute.com/web-services/] http://resources.infosecinstitute.com/web-services/<br />
 
[http://resources.infosecinstitute.com/web-services-penetration-testing-part-1/] http://resources.infosecinstitute.com/web-services-penetration-testing-part-1/<br />
 
[http://resources.infosecinstitute.com/web-services-penetration-testing-part-2-automated-approach-soapui-pro/] http://resources.infosecinstitute.com/web-services-penetration-testing-part-2-automated-approach-soapui-pro/<br />
 
[http://resources.infosecinstitute.com/web-services-pen-test-part-3-automation-appscan-webinspect/] http://resources.infosecinstitute.com/web-services-pen-test-part-3-automation-appscan-webinspect/<br />
 
[https://www.youtube.com/watch?v=J-uO0ELZ2rk] https://www.youtube.com/watch?v=J-uO0ELZ2rk<br />
 
[http://www-01.ibm.com/support/docview.wss?uid=swg21404788] http://www-01.ibm.com/support/docview.wss?uid=swg21404788<br />
 
[https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet] https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet<br />
 
[http://www.pushtotest.com/blogs/60-the-cohen-blog/697-web-security-test-solutions-with-testmaker-and-soapui.html] http://www.pushtotest.com/blogs/60-the-cohen-blog/697-web-security-test-solutions-with-testmaker-and-soapui.html<br />
 
[https://msdn.microsoft.com/en-us/library/ff650168.aspx] https://msdn.microsoft.com/en-us/library/ff650168.aspx<br />
 
[http://www.soapui.org/security-testing/overview-of-security-scans.html] http://www.soapui.org/security-testing/overview-of-security-scans.html<br />
 
[https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet] https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet<br />
 
[http://resources.infosecinstitute.com/web-services-pen-test-part-4-manual-testing-soa-client/] http://resources.infosecinstitute.com/web-services-pen-test-part-4-manual-testing-soa-client/<br />
 
[http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion] http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion<br />
 
[https://www.owasp.org/index.php/Testing_WSDL_%28OWASP-WS-002%29] https://www.owasp.org/index.php/Testing_WSDL_%28OWASP-WS-002%29<br />
 
[https://www.youtube.com/watch?v=QLKM4USUlZs] https://www.youtube.com/watch?v=QLKM4USUlZs<br />
 
[https://www.youtube.com/watch?v=RHIkb9yEV1k] https://www.youtube.com/watch?v=RHIkb9yEV1k<br />
 
[https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf] https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf<br />
 
[http://resources.infosecinstitute.com/saml-oauth-openid/] http://resources.infosecinstitute.com/saml-oauth-openid/<br />
 
[http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml] http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml<br />
 
[https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf]  https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf <br />
 
</p>
 
 
 
==Additional Resources==
 
 
 
<p>Below are resources to help the tester learn and refine their ability to effectively test various web services.</p>
 
 
 
<h3>Virtual Machines</h3>
 
<p>
 
* OWASP Mutillidae<br />
 
* PenTester Lab: Axis2 Web Service and Tomcat Manager<br />
 
* DVWS<br />
 
* OWASP WebGoat<br />
 
</p>
 
<h3>Online Resources</h3>
 
<p>
 
* [http://www-01.ibm.com/support/docview.wss?uid=swg21288823] http://www-01.ibm.com/support/docview.wss?uid=swg21288823 <br />
 
* [http://zero.webappsecurity.com/] http://zero.webappsecurity.com/<br />
 
* [https://media.blackhat.com/bh-us-11/Johnson/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_WP.pdf] https://media.blackhat.com/bh-us-11/Johnson/BH_US_11_JohnsonEstonAbraham_Dont_Drop_the_SOAP_WP.pdf<br />
 
* [http://www.securitytube.net/video/11695] http://www.securitytube.net/video/11695<br />
 
* [http://www.securitytube.net/video/8462] http://www.securitytube.net/video/8462<br />
 
* [http://www.securitytube.net/video/1113] http://www.securitytube.net/video/1113<br />
 
* [http://resources.infosecinstitute.com/web-services-pen-test-part-4-manual-testing-soa-client/] http://resources.infosecinstitute.com/web-services-pen-test-part-4-manual-testing-soa-client/<br />
 
* [https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet] https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet</p>
 
 
 
==Primary Author==
 
<p>
 
* Michael Born
 
</p>
 
 
 
==Contributing Editors/Authors==
 
<p>
 
* John Rogers
 
* Zac Fowler
 
* Fred Donovan
 
* Rob Temple
 
* Andrew Freeborn
 
* Sai Uday Shankar Korlimarla
 
* Robert Nordstrom
 
* Justin Williams
 
</p>
 
 
 
== Other Cheatsheets ==
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
|}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 04:28, 16 February 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

An open discussion is pending about to exclude or not this cheat sheet of the V2 of the project.