Life has not been that interesting to produce further gibberish adage for the last few months. At work I’m looking into a plethora of antediluvian technologies – but still putting up to learn the new ones.
My white paper titled Security Concerns with Web Services was warmly appreciated and got published our internal knowledge net. Though, I cannot publish it anywhere else … I surely can share the helpful tools that I used to detect web service vulnerabilities.
With the tools listed below, some imaginations and a desire to have fun – you can really have a good idea about web services security.
Tools for studying Web Services Security
- WebGoat is an insecure J2EE application that provides a number of lessons for practicing commonly known security exploits.
- Soap UI is a popular SOA and Web Services testing tool with a number offeatures like web service client code generation, mock serviceimplementation, and groovy scripting.
- WS Fuzzer is a fuzzing penetration testing tool used against HTTP SOAP based web services. It tests numerous aspects (input validation, XML Parser, etc) of the SOAP target.
- WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols.
- LiveHTTPHeader is a mozilla plugin that provides all the information about the browser traffic.
- Cryptcat is a lightweight version of netcat with integrated transport encryption capabilities.
- Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and “fiddle” with incoming or outgoing data.
- TcpMon is a utility that allows the user to monitor the messages passed along in TCP based conversation.
- cURL is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). The command is designed to work without user interaction.
Most of the above tools comes with neat documentation, so have fun!