WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SOAP inspection / tampering tools?

From: David Nester <david () icrew org>
Date: Thu, 16 Sep 2004 06:07:36 -0500
Sebastien,

You might check out this new application from Spidynamics.  Although I have
only used Webinspect...it appears that this application will allow you to do
SOAP modification:

      SPI Toolkit

       http://www.spidynamics.com/products/Comp_Audit/toolkit/index.html

David



---------------------------------------

David Nester
iCrew Security
david () icrew org
http://www.icrew.org




From: "Sebastien Deleersnyder" <sdl () ascure com>
Date: Wed, 15 Sep 2004 10:11:23 +0200
To: <webappsec () securityfocus com>
Subject: SOAP inspection / tampering tools?

Hi,

Are there any open-source / commercial tools available for inspection /
modification of 
SOAP traffic to perform audits on its security?
I am thinking of a local proxy-like program through which SOAP traffic
is channeled 
by e.g. modifying localhost : redirect traffic destined for target.com
to 127.0.0.1
The tool would allow for changing the SOAP content both in the
request/reply.
I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS
protects against sniffing.

I know there are commercial tools available to scan a SOAP server on
vulnerabilities, such as

*    ScanDo (Kavado)
*    AppScan (Sanctum, now WatchFire)

How good are these in finding problems with SOAP calls?
Are there open-source equivalents?

Thank you,

Kind regards,

Sebastien
Previous By Date Next
Previous By Thread Next

Current thread: