Re: SOAP inspection / tampering tools?

[Rogan Dawes <discard () dawes za net>]

Sebastien Deleersnyder wrote:

> Hi,
>  
> Are there any open-source / commercial tools available for inspection /
> modification of 
> SOAP traffic to perform audits on its security?
> I am thinking of a local proxy-like program through which SOAP traffic
> is channeled 
> by e.g. modifying localhost : redirect traffic destined for target.com
> to 127.0.0.1
> The tool would allow for changing the SOAP content both in the
> request/reply.
> I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS
> protects against sniffing.

Hi Sebastien,

Many proxy intercept tools will also intercept HTTPS connections, so you 
should be able to intercept your SOAP over HTTPS as well. It is just a 
POST with a different content data-type, so there is no real difference 
there.

WebScarab is one such intercept tool that you could use: 
(http://www.owasp.org/software/webscarab.html), there is a large list of 
alternatives at http://dawes.za.net/rogan/exodus/comparison.php

If your SOAP client software does not support configuration of an 
upstream proxy, WebScarab can also masquerade as the server itself 
(effectively a reverse proxy) by specifying the base url when 
configuring the listener.

WebScarab does not as yet provide special support for SOAP. However, XML 
is plain text, so you should be able to just edit it as a text file 
using the built-in editor.

Regards,

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"