Web Services Security Testing Cheat Sheet Introduction
As Web Services are incorporated into application environments, having a good checklist while performing security assessments can help a penetration tester better identify web service related vulnerabilities and associated risk.
This document is intended to be an easy to use checklist while performing assessments against web services. The penetration tester is advised to incorporate this into his or her corporate testing methodology as a supplemental checklist or is free to use this checklist as the sole testing guideline.
For a Black Box assessment, at the very least, the penetration tester will need the Web Service Description Language (WSDL) file
For a Grey Box assessment, the penetration tester will need sample requests for each method employed by the web service(s), along with the Web Service Description Language (WSDL) file
While using automated tools, the penetration tester will need to validate all reported findings manually and perform due diligence false positive analysis for each vulnerability reported. During the manual phase of testing, the penetration tester will look for the existence of vulnerabilities missed by the automated tools and will validate automated tool output as necessary.