● Akansha Kesharwani
● Security Consultant @ Payatu Technologies
● Member @ Null Chapter Pune
● Introduction to Web Services
● Components of Web Services
● Introduction to tool(s) for Web Service Testing
● Demo of SOAP attacks
Introduction to Web Services
● Implementation of SOA(Service Oriented Architecture)
● Web services are XML-based information exchange systems that use
the Internet for direct application-to-application interaction.
● These systems can include programs, objects, messages, or
● For example, a client invokes a web service by sending an XML
message, then waits for a corresponding XML response.
● As all communication is in XML, web services are not tied to any one
operating system or programming language--Java can talk with Perl;
Windows applications can talk with Unix applications.
Why Pentest Web Services
● Increase Use of Web Services
● Widely exposed to attacks
● Due to lack of concern or knowledge, less security measures been
● Store and Transfer sensitive data making it attractive target for
Why Use Web Services
● Language Interoperability (Programming language independent)
● Platform Independent (Hardware and OS independent)
● Function Reusability
● Firewall Friendly
● Use of Standardized Protocols
● Low cost of communication
● Exposing the Existing Function on the network
Components of Web Services
The basic web services platform is XML + HTTP. All the standard web
services work using the following components:
● SOAP (Simple Object Access Protocol)
● WSDL (Web Services Description Language)
● UDDI (Universal Description, Discovery and Integration)
● XML based protocol
● Allows exchange of information over HTTP
● Used by Web Services to send XML requests.
● Platform Independent
● Language Independent
● Designed to communicate via Internet
● Simple and extensible
XML(Extensible Markup Language)
● Defines set of rules for encoding documents
● Is in Human and machine readable format
● WSDL was developed jointly by Microsoft and IBM.
● WSDL is an XML based protocol for information exchange in
decentralized and distributed environments.
● Standard format for describing Web Services
● WSDL definition describes how to access a web service and what
operations it will perform.
● XML formatted language used by UDDI
Elements of WSDL
● definitions : All the XML elements are packed under definition
element. It is also called as root or parent element of the WSDL file.
● types : Defines the (XML Schema) data types used by the web
● message : This is a dependent element. Message is specified
according to the data types defined in types element. And used in
side operation element later.
● portType : Element collects all the operations within a web service.
● operation : Collection of input, output, fault and other message as
specified in message element.
● input message : Parameters of the method used in SOAP request.
Elements of WSDL file
● output message : Parameters of the method used in SOAP request.
● binding : This element connects part 2 of WSDL file with part1
associating itself to the portType element and allows to define the
protocol we want to use.
● soap:binding : It formulates the SOAP message at runtime.
● service : Contains name of all the services provided by the service
● port : It provides the physical path or location of web server so that
service consumer can connect with service provider.
Testing Web Services
● Web services testing is categorized in 3 types:
– Black Box Testing
– Grey Box Testing
– White Box Testing
● No wsdl file
● So fingerprinting the wsdl file using google dorks.
Introduction to Tool(s)
● Tools play a very important role in any type of penetration test.
● Limited tools for Web Service Penetration Testing.
● Tool(s) :
– SoapUI by SMARTBEAR
– IBM AppScan
– HP WebInspect
● Add-ons : SOA-Client