WebApp Sec mailing list archives
Re: SOAP inspection / tampering tools?
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 16 Sep 2004 11:30:32 +0200
Sebastien Deleersnyder wrote:
Hi,Are there any open-source / commercial tools available for inspection / modification of SOAP traffic to perform audits on its security?I am thinking of a local proxy-like program through which SOAP trafficis channeled by e.g. modifying localhost : redirect traffic destined for target.comto 127.0.0.1 The tool would allow for changing the SOAP content both in the request/reply. I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS protects against sniffing.
Hi Sebastien,Many proxy intercept tools will also intercept HTTPS connections, so you should be able to intercept your SOAP over HTTPS as well. It is just a POST with a different content data-type, so there is no real difference there.
WebScarab is one such intercept tool that you could use: (http://www.owasp.org/software/webscarab.html), there is a large list of alternatives at http://dawes.za.net/rogan/exodus/comparison.php
If your SOAP client software does not support configuration of an upstream proxy, WebScarab can also masquerade as the server itself (effectively a reverse proxy) by specifying the base url when configuring the listener.
WebScarab does not as yet provide special support for SOAP. However, XML is plain text, so you should be able to just edit it as a text file using the built-in editor.
Regards, Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- SOAP inspection / tampering tools? Sebastien Deleersnyder (Sep 16)
- Re: SOAP inspection / tampering tools? David Nester (Sep 16)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 16)
- Re: SOAP inspection / tampering tools? Rogan Dawes (Sep 16)
- Re: SOAP inspection / tampering tools? Yuri Demchenko (Sep 18)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 18)
- Re: SOAP inspection / tampering tools? if0ff () softhome net (Sep 18)
- Re: SOAP inspection / tampering tools? Mads Rasmussen (Sep 18)
- Re: SOAP inspection / tampering tools? enrico sabbadin @ sabbasoft (Sep 19)
- <Possible follow-ups>
- RE: SOAP inspection / tampering tools? Matt Fisher (Sep 16)
- RE: SOAP inspection / tampering tools? Bob Auger (Sep 18)