Web Services Penetration Testing
Whilst web services can present similar vulnerabilities to web applications,
they also have unique vulnerabilities specific to the format of the service. So, the majority of the
testing exercise is a manual process involving multiple phases, each tailored to the nature and
purpose of your service.
Whilst automated software forms part of our toolset, we believe there is no
substitute for an intelligent, experienced and informed approach using skills honed over many
years and hundreds of tests.
- Initially the service will be tested from an unauthenticated (anonymous) perspective to
simulate an opportunistic attack. If authentication is required to access the service this
will be tested.
- Manual testing will be conducted to cover the nine key areas listed below.
- We will also vulnerability scan the underlying web service platform for flaws that may not be
apparent at the application layer.
- All identified vulnerabilities are verified to remove false positives and are exploited to
demonstrate the real risks and impact of an attack.
- Our test methodology has been informed by:
- The Open Web Application Security Project (OWASP)
- The ISO 27001 standard, particularly the sections relating to publicly available information
- Guidance offered by manufacturers and trusted third parties
- Our technical approach focuses on nine key areas:
||Determine Web Service entry points and the communication schema
||SSL/TLS testing, backup and unreferenced files, admin interfaces, HTTP methods,
||Attempt to use discovered entry points to retrieve sensitive information
|XML Structural Testing
||Check the structure of the XML data to ensure it works as expected. Attempt to send malformed XML
data in order to expose sensitive data
|XML Content Testing
||Check for the presence of non-filtered input, which may lead to SQL injection or
cross-site scripting vulnerabilities
|HTTP GET/REST Testing
||If the service is RESTful we will examine the HTTP requests and responses for vulnerabilities
|SOAP Attachment Testing
||If SOAP attachments are allowed, check for file upload vulnerabilities
||Attempt to use replay attacks to impersonate valid users of the service
||Identify management services, TCP and UDP services, security vulnerabilities
At First Base Technologies we pride ourselves in being with you every step of the way in securing your web services from attack.
You can read our FAQ on penetration testing and vulnerability analysis here
See what our clients say about us here
+44 (0)1273 45 45 25