WebApp Sec mailing list archives
RE: SOAP inspection / tampering tools?
From: "Matt Fisher" <mfisher () spidynamics com>
Date: Thu, 16 Sep 2004 07:44:44 -0400
I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS
protects against sniffing. Did you want to modify someone else's packets, or your own ? If you're running a local proxy, then SSL isn'tt really an issue; there are open/free proxies that speak SSL and terminate the packets into clear text for you. I've never used them on SOAP apps though.
Are there open-source equivalents?
I couldn't find any open source SOAP specific auditing tools, but I'm interested in some as well (I'm relatively weak on soap and need to learn). A Google for "soap security tools" yielded lots of development tools, a firewall, and janitorial supplies (!). Anyone else ? If you're asking if there are open-source equivalents to the commercial scanners, the answer is no. Even the lowest end commercial scanner is way ahead of the open source / freeware stuff right now. The majority of open source tools either simply expose the packet for you to *manually* test, or perform extremely limited tests. Remember too though that there are other ways of testing an application, such as by code review. There are others on this list whom have much more expertise in that area than I. Reply offline and I'll send you some names.
I know there are commercial tools available to scan a SOAP server
on vulnerabilities, such as ... SPI Dynamics' WebInspect *needs to be on your list*. It's an extremely popular commercial web / soap app assessment product. Disclaimer: I'm proud to work for SPI. There are also lots of services companies that will do SOAP audits as well as web audits. Reply offline and I'll send you some names.
How good are these in finding problems with SOAP calls?
I've done a couple SOAP audits with WebInspect and I was quite pleased. It has always found the usual suspects in SOAP apps for me, but one time it actually found the ability to insert (and execute) shell commands. I was able to verify it in the console by viewing the Request and Response packets, then I used the SOAP Editor to modify the packet (to make the command something along the lines of "cat \etc\passwd") and resent it. One fun thing was doing an "ls", finding archivedd source in the webdirectory, requesting that through the browser, then opening the source code locally in VS.Net ;) This, btw, was in a matter of minutes. Had I done some extensive manual testing (or a code review) I'd like to think that I would have found the same vulnerability, but it definitely would have taken me ages longer. Unfortunately I've never done any SOAP audits in any other manner, so I have no baseline to compare these results to, but you should be able to download an eval of any commercial scanner right off the manufacturer's website and start playing with it. An interesting note too, the SOAP apps I've audited tend to come out with even more (and more serious) issues than web apps. I haven't done a ton of SOAP audits by any means, but I'm getting the general impression that security awareness on that side is even lower than on the web side. Has anyone else been seeing that ? -----Original Message----- From: Sebastien Deleersnyder [mailto:sdl () ascure com] Sent: Wednesday, September 15, 2004 4:11 AM To: webappsec () securityfocus com Subject: SOAP inspection / tampering tools? Hi, Are there any open-source / commercial tools available for inspection / modification of SOAP traffic to perform audits on its security? I am thinking of a local proxy-like program through which SOAP traffic is channeled by e.g. modifying localhost : redirect traffic destined for target.com to 127.0.0.1 The tool would allow for changing the SOAP content both in the request/reply. I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS protects against sniffing. I know there are commercial tools available to scan a SOAP server on vulnerabilities, such as * ScanDo (Kavado) * AppScan (Sanctum, now WatchFire) How good are these in finding problems with SOAP calls? Are there open-source equivalents? Thank you, Kind regards, Sebastien
Current thread:
- SOAP inspection / tampering tools? Sebastien Deleersnyder (Sep 16)
- Re: SOAP inspection / tampering tools? David Nester (Sep 16)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 16)
- Re: SOAP inspection / tampering tools? Rogan Dawes (Sep 16)
- Re: SOAP inspection / tampering tools? Yuri Demchenko (Sep 18)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 18)
- Re: SOAP inspection / tampering tools? if0ff () softhome net (Sep 18)
- Re: SOAP inspection / tampering tools? Mads Rasmussen (Sep 18)
- Re: SOAP inspection / tampering tools? enrico sabbadin @ sabbasoft (Sep 19)
- <Possible follow-ups>
- RE: SOAP inspection / tampering tools? Matt Fisher (Sep 16)
- RE: SOAP inspection / tampering tools? Bob Auger (Sep 18)