RE: SOAP inspection / tampering tools?

["Matt Fisher" <mfisher () spidynamics com>]

> > I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS
protects against sniffing.

Did you want to modify someone else's packets, or your own ?  If you're
running a local proxy, then SSL isn'tt really an issue; there are
open/free proxies that speak SSL and terminate the packets into clear
text for you.   I've never used them on SOAP apps though. 


> > Are there open-source equivalents?

I couldn't find any open source SOAP specific auditing tools, but I'm
interested in some as well (I'm relatively weak on soap and need to
learn).  A Google for "soap security tools" yielded lots of development
tools, a firewall, and janitorial supplies (!).  Anyone else ? 

If you're asking if there are open-source equivalents to the commercial
scanners, the answer is no.  Even the lowest end commercial scanner is
way ahead of the open source / freeware stuff right now.  The majority
of open source tools either simply expose the packet for you to
*manually* test, or perform extremely limited tests.  Remember too
though that there are other ways of testing an application, such as by
code review.  There are others on this list whom have much more
expertise in that area than I.  Reply offline and I'll send you some
names.



> >   I know there are commercial tools available to scan a SOAP server
on vulnerabilities, such as ...

SPI Dynamics' WebInspect *needs to be on your list*.  It's an extremely
popular commercial web / soap app assessment product. Disclaimer: I'm
proud to work for SPI.  There are also lots of services companies that
will do SOAP audits as well as web audits.  Reply offline and I'll send
you some names. 


> > How good are these in finding problems with SOAP calls?

I've done a couple SOAP audits with WebInspect and I was quite pleased.
It has always found the usual suspects in SOAP apps for me, but one time
it actually found the ability to insert (and execute) shell commands.  I
was able to verify it in the console by viewing the Request and Response
packets, then I used the SOAP Editor to modify the packet (to make the
command something along the lines of "cat \etc\passwd") and resent it.
One fun thing was doing an "ls", finding archivedd source in the
webdirectory, requesting that through the browser, then opening the
source code locally in VS.Net ;)   This, btw, was in a matter of
minutes.  Had I done some extensive manual testing (or a code review)
I'd like to think that I would have found the same vulnerability, but it
definitely would have taken me ages longer.  Unfortunately I've never
done any SOAP audits in any other manner, so I have no baseline to
compare these results to, but you should be able to download an eval of
any commercial scanner right off the manufacturer's website and start
playing with it. 


An interesting note too, the SOAP apps I've audited tend to come out
with even more (and more serious) issues than web apps.  I haven't done
a ton of SOAP audits by any means, but I'm getting the general
impression that security awareness on that side is even lower than on
the web side.   Has anyone else been seeing that ?





-----Original Message-----
From: Sebastien Deleersnyder [mailto:sdl () ascure com] 
Sent: Wednesday, September 15, 2004 4:11 AM
To: webappsec () securityfocus com
Subject: SOAP inspection / tampering tools?

Hi,
 
Are there any open-source / commercial tools available for inspection /
modification of SOAP traffic to perform audits on its security?
I am thinking of a local proxy-like program through which SOAP traffic
is channeled by e.g. modifying localhost : redirect traffic destined for
target.com to 127.0.0.1 The tool would allow for changing the SOAP
content both in the request/reply.
I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS
protects against sniffing.
 
I know there are commercial tools available to scan a SOAP server on
vulnerabilities, such as

*       ScanDo (Kavado)
*       AppScan (Sanctum, now WatchFire)

How good are these in finding problems with SOAP calls?
Are there open-source equivalents?
 
Thank you,
 
Kind regards,
 
Sebastien