HP Security Lab blog: Dynamic Web Services Assessment using HP WebInspect Jun 19, 2012 – samareshm
“There is no greater agony than bearing an untold story inside you.” - Maya Angelou.
Over the last couple of releases, HP WebInspect has added stellar support for Web Services assessments. However, my interactions with various users have made me feel that we still have a story about our Web Services capabilities that hasn’t fully been told yet. HP WebInspect 9.2 packs some powerful new features that can assist in very effective Web Services assessments. A totally reworked Web Service Test Designer can be a great asset when unit testing SOAP based Web Services.
Here is a summary of the broad new capabilities:
1) Full-fledged assessment: Smart detection engines are now capable of detecting vulnerabilities such as blind SQL Injection, local file inclusion, and buffer overflows.
2) Support for WCF: Some basic templates to configure popular WCF options such as Custom, Federation and WSHttpBinding are included by default (ref: figure 1). Advanced configuration will allow non-text encodings such as MTOM and Binary.
Figure 1
3) Handling message security: A large variety of SOAP based assessments can now be supported using WS-Security and WS_Addressing. A comprehensive setup screen can handle X 509, Cerberus and XAML tokens.
4) RPC support: Users now can work with SOAP services with RPC encoding. The manual editor can be used to import payload data.
5) Detecting Web services while scanning regular sites: WebInspect can detect web requests that resemble SOAP message structures. It then adds them in the Recommendations as shown below. Users can obtain the needed Web Services design to initiate a Web Services scan.
Figure 2
In future posts I will suggest some good practices on Web Services scan workflow. Please add comments to this post to let us know what features interest you most.
