Ishan Girdhar, profile picture
Uploaded byIshan Girdhar
PPTX, PDF2,994 views

Pentesting With Web Services in 2012

Web services present unique challenges for penetration testing due to their complexity and differences from traditional web applications. There is a lack of standardized testing methodology and tools for web services. Many penetration testers are unsure how to properly scope and test web services. Existing tools have limitations and testing environments must often be built from scratch. A thorough understanding of web service standards and frameworks is needed to effectively test for vulnerabilities from both the client and server side.

Technology
Related topics:
Web Services Overview

Embed presentation

Downloaded 76 times
PEN-TESTING WEB SERVICES IN 2012 Ishan Girdhar
Why Attack Web Services?  Secondary Attack Vector  Ability to pass controls in the application  Many developers don’t implement proper controls  Installed outside the protection within the web application  Assumed that only client for a web service is another application.
Web Services and OSI layers     Implemented by adding XML into layer 7 Applications (HTTP) SOAP – Simple Object Access Protocol Think of SOAP like you would think of SMTP. It’s a message envelope and you need to get a response.
Differences in Web Service Standards    Some Developer departure from XML based SOAP to RESTful Services like JSON REST (Representational State Transfer) use HTTP Methods (GET,POST,PUT, DELETE) However:    Soap based services are complex for a reason! Many custom applications use them in enterprise applications Large Services still use SOAP:  Amazon EC2, PayPal, Microsoft Azure are few example.
The Web Service Threat Model         Web Service in Transit Is data being protected in transit? SSL What type of authentication is used? Basic Authentication != Secure Web Service Engine Web Service Deployment Web Service User Code
Web Services State of the Union  There are issues with         Scoping Tools Testing Process Methodology Testing Techniques Education Testing Environment Basically, It’s all broken
Penetration testers don’t know what to do with web services     How do you scope? Do you even ask the right scoping questions? Where do you begin? How Do I test thing?  Automated v/s Manual Testing ?  Black v/s Grey v/s white box testing?
Why is the testing methodology broken?  OWASP Web Service Testing Guide v3     It’s good for Web Application Testing “in general” It’s the “Gold Standard” It’s outdated in regards to web service testing Missing full coverage based on a complete threat model   Testing focused on old technology   Examples: MiTM, Client Side Storage, Host Based Authentication Example: No Mention of WCF Services, how to test multiple protocol. Most Testing Standard uses Grey Box Techniques, Fails to address unique web service requirements.
Current Tools   They Suck  Mostly Commercial Tools Available. (For Developers, very little security focus)   Very Little Automation    soupUI, WCF Storm, SOA Cleaner Tester’s time spend in configuring tool and getting them running, less hacking. Minimal Amount of re-usability. Multiple tools built from ground up    Missing features Missing functionality (payloads) Community Support?
Current Tools     What happened to Webscarab ? WS-Digger? No SSL? There are other tools but many are hard to configure or just don’t work properly. SOAP Messages written by Hand (THIS REALLY SUCKS!) ~ 14 Modules in Metasploit for web services
Webscarab – Web Service Module
WSDigger
WSScanner
What are we using?  SoupUI combined with Burp Suite are Bomb.  Still   Could be better There are very good Burp Suite Plugins by Ken Johnson as well: http://resources.infosecinstitute.com/soapattack-1/
Screenshots of soupUI & Burp
Screenshots of soupUI & Burp
Screenshots of soupUI & Burp
Lack of testing Environment    Ok. Fine. I have understood how to test Web Services, but where can I test it? On Production Systems … wait, what? I’ll build my own testing environment .. Wait, what?
The SOAP Envelope Format
Web Services Fingerprinting  Google Hacking for exposed WSDLs  Filetype: asmx  Filetype:Jws  Filetype:WSDL   Searches for Microsoft Silverlight XAP Files Shodan search for exposed web service management Interfaces
The Importance of Web Service Management Interfaces  If these interfaces are an attacker could:    How about weak and default password?    Control the system that has the web services deployed. Why bother even testing the web services at this point?? Most organizations this is their biggest risk Pass-the-Has Administration Interfaces    Axis2 SAP Business Objects 2010 Metasploit module created for this http://spl0it.org/files/talks/base10/demo.txt
Web Services Threat       Microsoft Silverlight Client Side Applications that can use web services SOAP or REST Can we WCF (Windows Communication Foundation) Services Attacker can directly interface with the web services.. Really no need for the client Security Depends on the configuration of the services!
New Web Service Attacks     Ws-Attacks.org by Andreas Flakenberg Catalogs most (if not all) attacks for modern SOAP and BPEL web services SOAP request to web services that provide content to the web app AJAx, Flash and Microsoft Silverlight add to the complexity.
New Advancements     Client Side applications like Microsoft Silverlight. Increased complexity with AJAX and flash implementations Multiple Web services being used within applications Organization exposing web services for mobile applications.
BPEL     WS-BPEL Web Service Business Execution Language (BPEL)r Separates the business process from the implementation logic Usually a white box approach is required to understand the business login fully.
Scoping a Web Service Pentest    Pre-Engagement Scoping is CRITICAL! Not only for pricing but for proper testing Question such as:       What type of framework bieng used? (WCF, Apache Axis, Zend) Types of services (SOAP , REST) What type of data do the web service use? SOAP Attachment support? Can you provide multiple SOAP request that show full functionality? There Are MANY more questions. Our White has full list. 
Tools     soupUI Burp Ws-Attacker For dotnet web services:  WsKnight  Ws-digger
Further Resources  Real world web services testing for web hackers  By  Web Service Security Testing Framework  By  Joshua, Tom and Kevin (Blackhat USA 2011) Colin Wong and Daniel Grzelk Web Services Hacking And Hardening  Adam Vincent, Sr. Federal Solutions Architect
Questions … Presented by: Ishan Girdhar Infosec Consultant Twitter: ishan_girdhar

More Related Content

PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
PDF
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
PDF
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
PDF
Mobile application security – effective methodology, efficient testing! hem...
byowaspindia
 
PDF
Abusing, Exploiting and Pwning with Firefox Add-ons
byAjin Abraham
 
PPTX
Web application penetration testing
byImaginea
 
PPTX
Abusing Exploiting and Pwning with Firefox Addons
byAjin Abraham
 
PDF
Axoss Web Application Penetration Testing Services
byBulent Buyukkahraman
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
byAjin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
 
Mobile application security – effective methodology, efficient testing! hem...
byowaspindia
 
Abusing, Exploiting and Pwning with Firefox Add-ons
byAjin Abraham
 
Web application penetration testing
byImaginea
 
Abusing Exploiting and Pwning with Firefox Addons
byAjin Abraham
 
Axoss Web Application Penetration Testing Services
byBulent Buyukkahraman
 

What's hot

PDF
Testing Web Application Security
byTed Husted
 
PDF
Hacking Tizen: The OS of everything - Whitepaper
byAjin Abraham
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PDF
Security testing in mobile applications
byJose Manuel Ortega Candel
 
PPTX
Network penetration testing
byImaginea
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PPTX
The curious case of mobile app security.pptx
byAnkit Giri
 
PPTX
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPT
Why You Need A Web Application Firewall
byPort80 Software
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
PPT
Mobile Application Security – Effective methodology, efficient testing!
byespheresecurity
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PDF
Owasp top 10
byYasserElsnbary
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
Presentation web based application|Web designing training center in coimbator...
byVignesh026
 
PPT
Get Ready for Web Application Security Testing
byAlan Kan
 
PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PPTX
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
byAjith Kp
 
Testing Web Application Security
byTed Husted
 
Hacking Tizen: The OS of everything - Whitepaper
byAjin Abraham
 
Owasp top 10 security threats
byVishal Kumar
 
Security testing in mobile applications
byJose Manuel Ortega Candel
 
Network penetration testing
byImaginea
 
Secure coding guidelines
byZakaria SMAHI
 
The curious case of mobile app security.pptx
byAnkit Giri
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
byAjin Abraham
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Why You Need A Web Application Firewall
byPort80 Software
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
Mobile Application Security – Effective methodology, efficient testing!
byespheresecurity
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Owasp top 10
byYasserElsnbary
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Presentation web based application|Web designing training center in coimbator...
byVignesh026
 
Get Ready for Web Application Security Testing
byAlan Kan
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
byAjin Abraham
 
Owasp top 10 2017
byibrahimumer2
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
byAjith Kp
 

Viewers also liked

PDF
Pyscho-Strategies for Social Engineering
byIshan Girdhar
 
PDF
Pentesting Your Own Wireless Networks, June 2011 Issue
byIshan Girdhar
 
PDF
Armitage – The Ultimate Attack Platform for Metasploit
byIshan Girdhar
 
PPTX
Mobile Application Security
byIshan Girdhar
 
PPTX
JavaScript Static Security Analysis made easy with JSPrime
byNishant Das Patnaik
 
PPTX
Company Profile Security Expert LLC
bysecexpert
 
PPTX
Vtb final
bySamar Rahi
 
PDF
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
byITCamp
 
PPT
Paypal-IPN
byMindfire Solutions
 
PPTX
How to Launch a Web Security Service in an Hour
byCyren, Inc
 
PDF
Burp suite
byAmmar WK
 
PPTX
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
byAugust Detlefsen
 
PPTX
Windows Azure Versioning Strategies
byPavel Revenkov
 
PDF
Hollow process injection
byCysinfo Cyber Security Community
 
PPT
Security As A Service
byguest536dd0e
 
PPTX
Wcf security session 1
byAnil Kumar M
 
PDF
Quotation Proposal
byMax Lee
 
PPTX
Burp plugin development for java n00bs (44 con)
byMarc Wickenden
 
PPT
Web Service Security
byn|u - The Open Security Community
 
PPT
Basics of WCF and its Security
byMindfire Solutions
 
Pyscho-Strategies for Social Engineering
byIshan Girdhar
 
Pentesting Your Own Wireless Networks, June 2011 Issue
byIshan Girdhar
 
Armitage – The Ultimate Attack Platform for Metasploit
byIshan Girdhar
 
Mobile Application Security
byIshan Girdhar
 
JavaScript Static Security Analysis made easy with JSPrime
byNishant Das Patnaik
 
Company Profile Security Expert LLC
bysecexpert
 
Vtb final
bySamar Rahi
 
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
byITCamp
 
Paypal-IPN
byMindfire Solutions
 
How to Launch a Web Security Service in an Hour
byCyren, Inc
 
Burp suite
byAmmar WK
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
byAugust Detlefsen
 
Windows Azure Versioning Strategies
byPavel Revenkov
 
Hollow process injection
byCysinfo Cyber Security Community
 
Security As A Service
byguest536dd0e
 
Wcf security session 1
byAnil Kumar M
 
Quotation Proposal
byMax Lee
 
Burp plugin development for java n00bs (44 con)
byMarc Wickenden
 
Web Service Security
byn|u - The Open Security Community
 
Basics of WCF and its Security
byMindfire Solutions
 

Similar to Pentesting With Web Services in 2012

PDF
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
byTom Eston
 
PPT
Web Services Security
byamiable_indian
 
PDF
ENGS4851_Final_Certified_Report
byNagendra Posani
 
PPTX
WebServices Basic Introduction
byShahid Shaik
 
PDF
Review paper on web service security
byEditor Jacotech
 
PPTX
WebServices
bySunil Komarapu
 
PPTX
Web Service Testing By Sheshadri Mishra
bySheshadri Mishra
 
PPTX
Web services
byVinay Kumar
 
PPT
Web Services Hacking and Security
byBlueinfy Solutions
 
PPT
Web services, the ws stack, and research prospects a survey
bybdemchak
 
PPTX
Web services
byAkshay Ballarpure
 
PPT
Introduction of WebServices
byKhasim Saheb
 
PPT
Web Service Presentation
byguest0df6b0
 
PPTX
SOA Testing
byRoopesh Kohad
 
PDF
Day1 : web service basics
byTesting World
 
PPT
Introduction to soapui and webservices
byAnil Yadav
 
PDF
Understanding Web Services XML WSDL SOAP and UDDI 1st Edition Eric Newcomer
bywilgensoljah54
 
PPTX
web-services-on-mobile-platform
bySanjaySanjay970196
 
PPT
AppSec 2007 - .NET Web Services Hacking
byShreeraj Shah
 
PPTX
Unit 6 SDET Web Services Testing.pptx
byDr. Pallawi Bulakh
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
byTom Eston
 
Web Services Security
byamiable_indian
 
ENGS4851_Final_Certified_Report
byNagendra Posani
 
WebServices Basic Introduction
byShahid Shaik
 
Review paper on web service security
byEditor Jacotech
 
WebServices
bySunil Komarapu
 
Web Service Testing By Sheshadri Mishra
bySheshadri Mishra
 
Web services
byVinay Kumar
 
Web Services Hacking and Security
byBlueinfy Solutions
 
Web services, the ws stack, and research prospects a survey
bybdemchak
 
Web services
byAkshay Ballarpure
 
Introduction of WebServices
byKhasim Saheb
 
Web Service Presentation
byguest0df6b0
 
SOA Testing
byRoopesh Kohad
 
Day1 : web service basics
byTesting World
 
Introduction to soapui and webservices
byAnil Yadav
 
Understanding Web Services XML WSDL SOAP and UDDI 1st Edition Eric Newcomer
bywilgensoljah54
 
web-services-on-mobile-platform
bySanjaySanjay970196
 
AppSec 2007 - .NET Web Services Hacking
byShreeraj Shah
 
Unit 6 SDET Web Services Testing.pptx
byDr. Pallawi Bulakh
 

Recently uploaded

PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 

Pentesting With Web Services in 2012

  • 1.
    PEN-TESTING WEB SERVICES IN2012 Ishan Girdhar
  • 2.
    Why Attack WebServices?  Secondary Attack Vector  Ability to pass controls in the application  Many developers don’t implement proper controls  Installed outside the protection within the web application  Assumed that only client for a web service is another application.
  • 3.
    Web Services andOSI layers     Implemented by adding XML into layer 7 Applications (HTTP) SOAP – Simple Object Access Protocol Think of SOAP like you would think of SMTP. It’s a message envelope and you need to get a response.
  • 4.
    Differences in WebService Standards    Some Developer departure from XML based SOAP to RESTful Services like JSON REST (Representational State Transfer) use HTTP Methods (GET,POST,PUT, DELETE) However:    Soap based services are complex for a reason! Many custom applications use them in enterprise applications Large Services still use SOAP:  Amazon EC2, PayPal, Microsoft Azure are few example.
  • 5.
    The Web ServiceThreat Model         Web Service in Transit Is data being protected in transit? SSL What type of authentication is used? Basic Authentication != Secure Web Service Engine Web Service Deployment Web Service User Code
  • 6.
    Web Services Stateof the Union  There are issues with         Scoping Tools Testing Process Methodology Testing Techniques Education Testing Environment Basically, It’s all broken
  • 7.
    Penetration testers don’tknow what to do with web services     How do you scope? Do you even ask the right scoping questions? Where do you begin? How Do I test thing?  Automated v/s Manual Testing ?  Black v/s Grey v/s white box testing?
  • 8.
    Why is thetesting methodology broken?  OWASP Web Service Testing Guide v3     It’s good for Web Application Testing “in general” It’s the “Gold Standard” It’s outdated in regards to web service testing Missing full coverage based on a complete threat model   Testing focused on old technology   Examples: MiTM, Client Side Storage, Host Based Authentication Example: No Mention of WCF Services, how to test multiple protocol. Most Testing Standard uses Grey Box Techniques, Fails to address unique web service requirements.
  • 9.
    Current Tools   They Suck Mostly Commercial Tools Available. (For Developers, very little security focus)   Very Little Automation    soupUI, WCF Storm, SOA Cleaner Tester’s time spend in configuring tool and getting them running, less hacking. Minimal Amount of re-usability. Multiple tools built from ground up    Missing features Missing functionality (payloads) Community Support?
  • 10.
    Current Tools     What happenedto Webscarab ? WS-Digger? No SSL? There are other tools but many are hard to configure or just don’t work properly. SOAP Messages written by Hand (THIS REALLY SUCKS!) ~ 14 Modules in Metasploit for web services
  • 11.
    Webscarab – WebService Module
  • 12.
  • 13.
  • 14.
    What are weusing?  SoupUI combined with Burp Suite are Bomb.  Still   Could be better There are very good Burp Suite Plugins by Ken Johnson as well: http://resources.infosecinstitute.com/soapattack-1/
  • 15.
  • 16.
  • 17.
  • 18.
    Lack of testingEnvironment    Ok. Fine. I have understood how to test Web Services, but where can I test it? On Production Systems … wait, what? I’ll build my own testing environment .. Wait, what?
  • 19.
  • 20.
    Web Services Fingerprinting  GoogleHacking for exposed WSDLs  Filetype: asmx  Filetype:Jws  Filetype:WSDL   Searches for Microsoft Silverlight XAP Files Shodan search for exposed web service management Interfaces
  • 21.
    The Importance ofWeb Service Management Interfaces  If these interfaces are an attacker could:    How about weak and default password?    Control the system that has the web services deployed. Why bother even testing the web services at this point?? Most organizations this is their biggest risk Pass-the-Has Administration Interfaces    Axis2 SAP Business Objects 2010 Metasploit module created for this http://spl0it.org/files/talks/base10/demo.txt
  • 22.
    Web Services Threat       MicrosoftSilverlight Client Side Applications that can use web services SOAP or REST Can we WCF (Windows Communication Foundation) Services Attacker can directly interface with the web services.. Really no need for the client Security Depends on the configuration of the services!
  • 23.
    New Web ServiceAttacks     Ws-Attacks.org by Andreas Flakenberg Catalogs most (if not all) attacks for modern SOAP and BPEL web services SOAP request to web services that provide content to the web app AJAx, Flash and Microsoft Silverlight add to the complexity.
  • 24.
    New Advancements     Client Sideapplications like Microsoft Silverlight. Increased complexity with AJAX and flash implementations Multiple Web services being used within applications Organization exposing web services for mobile applications.
  • 25.
    BPEL     WS-BPEL Web Service BusinessExecution Language (BPEL)r Separates the business process from the implementation logic Usually a white box approach is required to understand the business login fully.
  • 26.
    Scoping a WebService Pentest    Pre-Engagement Scoping is CRITICAL! Not only for pricing but for proper testing Question such as:       What type of framework bieng used? (WCF, Apache Axis, Zend) Types of services (SOAP , REST) What type of data do the web service use? SOAP Attachment support? Can you provide multiple SOAP request that show full functionality? There Are MANY more questions. Our White has full list. 
  • 27.
  • 28.
    Further Resources  Real worldweb services testing for web hackers  By  Web Service Security Testing Framework  By  Joshua, Tom and Kevin (Blackhat USA 2011) Colin Wong and Daniel Grzelk Web Services Hacking And Hardening  Adam Vincent, Sr. Federal Solutions Architect
  • 29.
    Questions … Presented by: IshanGirdhar Infosec Consultant Twitter: ishan_girdhar