WebApp Sec mailing list archives
RE: SOAP inspection / tampering tools?
From: "Bob Auger" <bauger () spidynamics com>
Date: Thu, 16 Sep 2004 10:56:43 -0400
SPI Dynamics (http://www.spidynamics.com) has a couple of commercial tools that allow both automated, and manual assessment of SOAP Applications. SOAP Editor (Part of the SPI Toolkit) "SPI Dynamics' SOAP Editor is used to generate Simple Object Access Protocol (SOAP) requests automatically, and to manually edit SOAP requests and responses." http://www.spidynamics.com/products/Comp_Audit/toolkit/soap.html SPI Proxy (Part of the SPI Toolkit) "SPI Dynamics' SPI Proxy is a stand-alone, self-contained proxy server that you can configure and run on your desktop. " http://www.spidynamics.com/products/Comp_Audit/toolkit/proxy.html Webinspect "Enterprises with Web services implementations can automatically assess a Web service by discovering all XML input parameters and performing parameter manipulation on each XML field looking for vulnerabilities within the service itself." http://www.spidynamics.com/products/QA/WI/index.html Regards, Robert Auger SPI Labs http://www.spidynamics.com -----Original Message----- From: Sebastien Deleersnyder [mailto:sdl () ascure com] Sent: Wednesday, September 15, 2004 4:11 AM To: webappsec () securityfocus com Subject: SOAP inspection / tampering tools? Hi, Are there any open-source / commercial tools available for inspection / modification of SOAP traffic to perform audits on its security? I am thinking of a local proxy-like program through which SOAP traffic is channeled by e.g. modifying localhost : redirect traffic destined for target.com to 127.0.0.1 The tool would allow for changing the SOAP content both in the request/reply. I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS protects against sniffing. I know there are commercial tools available to scan a SOAP server on vulnerabilities, such as * ScanDo (Kavado) * AppScan (Sanctum, now WatchFire) How good are these in finding problems with SOAP calls? Are there open-source equivalents? Thank you, Kind regards, Sebastien
Current thread:
- SOAP inspection / tampering tools? Sebastien Deleersnyder (Sep 16)
- Re: SOAP inspection / tampering tools? David Nester (Sep 16)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 16)
- Re: SOAP inspection / tampering tools? Rogan Dawes (Sep 16)
- Re: SOAP inspection / tampering tools? Yuri Demchenko (Sep 18)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 18)
- Re: SOAP inspection / tampering tools? if0ff () softhome net (Sep 18)
- Re: SOAP inspection / tampering tools? Mads Rasmussen (Sep 18)
- Re: SOAP inspection / tampering tools? enrico sabbadin @ sabbasoft (Sep 19)
- <Possible follow-ups>
- RE: SOAP inspection / tampering tools? Matt Fisher (Sep 16)
- RE: SOAP inspection / tampering tools? Bob Auger (Sep 18)