First Base Technologies

Contact Us
Phone 01273 454525
email

Web Services Penetration Testing



Whilst web services can present similar vulnerabilities to web applications, they also have unique vulnerabilities specific to the format of the service. So, the majority of the testing exercise is a manual process involving multiple phases, each tailored to the nature and purpose of your service.

Whilst automated software forms part of our toolset, we believe there is no substitute for an intelligent, experienced and informed approach using skills honed over many years and hundreds of tests.

  • Initially the service will be tested from an unauthenticated (anonymous) perspective to simulate an opportunistic attack. If authentication is required to access the service this will be tested.
  • Manual testing will be conducted to cover the nine key areas listed below.
  • We will also vulnerability scan the underlying web service platform for flaws that may not be apparent at the application layer.
  • All identified vulnerabilities are verified to remove false positives and are exploited to demonstrate the real risks and impact of an attack.
  • Our test methodology has been informed by:
  • The Open Web Application Security Project (OWASP)
  • The ISO 27001 standard, particularly the sections relating to publicly available information
  • Guidance offered by manufacturers and trusted third parties
  • Our technical approach focuses on nine key areas:
Information Gathering Determine Web Service entry points and the communication schema
Configuration Management SSL/TLS testing, backup and unreferenced files, admin interfaces, HTTP methods, cross-site tracing
WSDL Testing Attempt to use discovered entry points to retrieve sensitive information
XML Structural Testing Check the structure of the XML data to ensure it works as expected. Attempt to send malformed XML data in order to expose sensitive data
XML Content Testing Check for the presence of non-filtered input, which may lead to SQL injection or cross-site scripting vulnerabilities
HTTP GET/REST Testing If the service is RESTful we will examine the HTTP requests and responses for vulnerabilities
SOAP Attachment Testing If SOAP attachments are allowed, check for file upload vulnerabilities
Replay Testing Attempt to use replay attacks to impersonate valid users of the service
Server Configuration Identify management services, TCP and UDP services, security vulnerabilities


Hover over each segment of the diagram below to read about each stage of the testing process.

At First Base Technologies we pride ourselves in being with you every step of the way in securing your web services from attack.


More Information

You can read our FAQ on penetration testing and vulnerability analysis here

See what our clients say about us here


Contact Us
+44 (0)1273 45 45 25

CREST


ISO 27001


ISO 9001


CREST Cyber Essentials

E&OE
© 2001-2015 First Base Technologies LLP - All Rights Reserved.
First Base Technologies LLP is a limited liability partnership registered in England & Wales, number: OC352070
Website designed and mastered by
didilogix


W3 Org says this page is HTML 4.01 compliant