Dynamic Web Services Assessment using HP WebInspect

Dynamic Web Services Assessment using HP WebInspect

 

“There is no greater agony than bearing an untold story inside you.” - Maya Angelou.

Over the last couple of releases, HP WebInspect has added stellar support for Web Services assessments. However, my interactions with various users have made me feel that we still have a story about our Web Services capabilities that hasn’t fully been told yet.  HP WebInspect 9.2 packs some powerful new features that can assist in very effective Web Services assessments. A totally reworked Web Service Test Designer can be a great asset when unit testing SOAP based Web Services.

Here is a summary of the broad new capabilities:

 

1)      Full-fledged assessment: Smart detection engines are now capable of detecting vulnerabilities such as blind SQL Injection, local file inclusion, and buffer overflows.
 

2)      Support for WCF:  Some basic templates to configure popular WCF options such as Custom, Federation and WSHttpBinding are included by default (ref: figure 1). Advanced configuration will allow non-text encodings such as MTOM and Binary.

 

wcf.jpg
  

                                                                                 Figure 1

 

3)       Handling message security:  A large variety of SOAP based assessments can now be supported   using WS-Security and WS_Addressing. A comprehensive setup screen can handle X 509, Kerberos and XAML tokens.

4)      RPC support: Users now can work with SOAP services with RPC encoding. The manual editor can be used to import payload data.

  

5)      Detecting Web services while scanning regular sites: WebInspect can detect web requests that resemble SOAP message structures. It then adds them in the Recommendations as shown below. Users can obtain the needed Web Services design to initiate a Web Services scan. 

 

wsdetect1.jpg 

Figure 2

In future posts I will suggest some good practices on Web Services scan workflow. Please add comments to this post to let us know what features interest you most.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation