WebApp Sec mailing list archives

RE: SOAP inspection / tampering tools?

From: "Bob Auger" <bauger () spidynamics com>
Date: Thu, 16 Sep 2004 10:56:43 -0400

SPI Dynamics (http://www.spidynamics.com) has a couple of commercial tools that allow both automated, and manual 
assessment of SOAP Applications. 


SOAP Editor (Part of the SPI Toolkit)
"SPI Dynamics' SOAP Editor is used to generate Simple Object Access Protocol (SOAP) requests automatically, and to 
manually edit SOAP requests and responses."
http://www.spidynamics.com/products/Comp_Audit/toolkit/soap.html


SPI Proxy (Part of the SPI Toolkit)
"SPI Dynamics' SPI Proxy is a stand-alone, self-contained proxy server that you can configure and run on your desktop. "
http://www.spidynamics.com/products/Comp_Audit/toolkit/proxy.html


Webinspect
"Enterprises with Web services implementations can automatically assess a Web service by discovering all XML input 
parameters and performing parameter manipulation on each XML field looking for vulnerabilities within the service 
itself."
http://www.spidynamics.com/products/QA/WI/index.html



Regards,

Robert Auger
SPI Labs
http://www.spidynamics.com


-----Original Message-----
From: Sebastien Deleersnyder [mailto:sdl () ascure com]
Sent: Wednesday, September 15, 2004 4:11 AM
To: webappsec () securityfocus com
Subject: SOAP inspection / tampering tools?


Hi,
 
Are there any open-source / commercial tools available for inspection /
modification of 
SOAP traffic to perform audits on its security?
I am thinking of a local proxy-like program through which SOAP traffic
is channeled 
by e.g. modifying localhost : redirect traffic destined for target.com
to 127.0.0.1
The tool would allow for changing the SOAP content both in the
request/reply.
I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS
protects against sniffing.
 
I know there are commercial tools available to scan a SOAP server on
vulnerabilities, such as

*       ScanDo (Kavado)
*       AppScan (Sanctum, now WatchFire)

How good are these in finding problems with SOAP calls?
Are there open-source equivalents?
 
Thank you,
 
Kind regards,
 
Sebastien

Current thread:

SOAP inspection / tampering tools? Sebastien Deleersnyder (Sep 16)
- Re: SOAP inspection / tampering tools? David Nester (Sep 16)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 16)
- Re: SOAP inspection / tampering tools? Rogan Dawes (Sep 16)
- Re: SOAP inspection / tampering tools? Yuri Demchenko (Sep 18)
- Re: SOAP inspection / tampering tools? Adam Tuliper (Sep 18)
- Re: SOAP inspection / tampering tools? if0ff () softhome net (Sep 18)
- Re: SOAP inspection / tampering tools? Mads Rasmussen (Sep 18)
- Re: SOAP inspection / tampering tools? enrico sabbadin @ sabbasoft (Sep 19)
- <Possible follow-ups>
- RE: SOAP inspection / tampering tools? Matt Fisher (Sep 16)
- RE: SOAP inspection / tampering tools? Bob Auger (Sep 18)