View
40
Download
5
Category
Preview:
DESCRIPTION
Web Services Testing. David Ward. Something To Consider. Eight to Eighty. Information and Communications Systems Department (ICS) Over 5 years. Agenda. Web Services. Headless web application Programmatic interface (WSDL/WADL) HTTP transport XML/JSON data format - PowerPoint PPT Presentation
Citation preview
Web Services Testing
David Ward
Something To Consider
Eight to EightyInformation and Communications Systems
Department (ICS)
Over 5 years
Agenda
Web Service Testing
Starting Points
Security Issues
Key Tools Demo
Intro Security
Tools Demo
Web Services
• Headless web application
• Programmatic interface (WSDL/WADL)
• HTTP transport
• XML/JSON data format
• Common types SOAP / REST
Intro Security
Tools Demo
Testing Services
• Services are a contract - API(s)
• Test the contract (WSDL / WADL)
• Is the contract consistent?
• If the contract changes, its a new version
Intro Security
Tools Demo
QA Engineer Profile
• Programming background
• Strong personality – developer’s advocate
• Background developing / testing API(s)
• Security background
• Influencer
Intro Security
Tools Demo
Security / Privacy
• Mark Zuckerberg (Facebook CEO) - 2010The age of privacy is over / user information should default to public
• Eric Schmidt (Google CEO) - 2009search engines including Google do retain information for some time…
Intro Security
Tools Demo
Additional Attack Vector
Web UI• App Server
Web Service• App Server Database
Intro Security
Tools Demo
Security Standards
• WS-Security
SOAP
• No formal standards• Different approaches - Amazon, Flickr, Google
REST
Intro Security
Tools Demo
SOAP: WS-Security
<soap:Header> <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-33" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>missionary_test_client</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token- profile1.0#
PasswordDigest">Q1QSzWSl8JY5AfQykkIoO6hTf3k=</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-soap-message-security-1.0# Base64Binary">iWjprJQjnqHmlh8gSyRweg==</wsse:Nonce>
<wsu:Created>2010-05-04T17:32:26.413Z</wsu:Created> </wsse:UsernameToken>
</wsse:Security> </soap:Header>
Intro Security
Tools Demo
REST: Security
Intro Security
Tools Demo• No formal security standards
• Often use SSL - transportation only
• Proprietary authentication steps
– Amazon, Flickr, Google - different approaches
• Session Management – cookies (Oracle WAM)
Finding the Weak Link
• SSL – is the window open?
• Soap’s WS-Security – partially used?
• Errors – are they too helpful?
• Interfaces – are they publicized?
• I’m behind the firewall – everything is great!
• Obfuscation is weak sauce!
• Innocent data can be maliciously used
Intro Security
Tools Demo
Testing Tools
• Rest/Soap• Functional• Load
SoapUI
• Packet Trace• Protocols• Filters
WireShark
• Web Apps• Services• Host Env
Appscan
• Plugins• HttpFox• TamperData• RestClient
Firefox
Intro Security
Tools Demo
Wireshark
Intro Security
Tools Demo
Protocols •Decodes hundreds of protocols•Analyze traffic patterns
Tracing •Live packet capture•Offline packet analysis
Filters •Easily filter on protocols•Intuitive analysis
Go Deep!
Firefox Plugins
Intro Security
Tools Demo
• Monitor http traffic
• View headers• View cookies
HttpFox
• Exercise RESTful web services
• Test endpoints
RESTClient
• Modify post Parameters
• Modify http headers
TamperData
5000 and counting…
SoapUI
One Awesome Tool!
Project Setup
Test SuiteCreation
Writing Tests
Groovy Scripts
Intro Security
Tools Demo
Call To Action
Join the LDS Tech community
Identify Web Service Projects
Start testing!
References
• SoapUI– http://www.soapui.org/
• Wireshark– http://www.wireshark.org/
• Firefox Plugins– https://addons.mozilla.org/en-US/firefox/
Recommended