APBR Absent Member.
Absent Member.
6775 views

How to scan multiple WSDL files/webservices in WebInspect 10?

Hi,

 

How can we scan multiple WSDL files/webservices at once in HP WebInspect 10?

 

Thanks

 

 

P.S. This oist and reply have been splitted off from other thread, created new thread in HP Application Security Center > WebInspect, and edited its subtitle. - HP Forum Moderator

Labels (1)
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: How to scan multiple WSDL files/webs​ervices in WebInspect 10?

APBR;

 

To scan numerous WSDL in a single WebInspect Web Service scan, all you need to do is review and Import them into the Web Service Design tool beforehand.

 

This secondary tool is very important for pre-planning how the Crawler will get through the service appropriately.  The saved output from this WSD tool is then used as the input to the Web Service scan wizard.  It operates much in the way the Web form Editor tool does, to help provide "good values" so the crawler can expose the attack surface area properly.

 

To try this out, open the WSD tool and use the Import WSDL field to import both of the following samples I located.

 

 

You can do this for numerous WSDL.  Once imported, you will want to review the available Values fields for the collected operations and perhaps provide special values.

 

There is a tutorial on using this HP tool for basic and WS-Security authenticated services, but it appears to be down right now.

 

 

(sic)

++++++++++++++++++

The Zero.webappsecurity.com web services are designed to demonstrate web service vulnerabilities.

There are two essentially identical webservices  

                http://zero.webappscurity.com/CustomerAccounts/SecureWebService.asmx?wsdl is configured to use WS security for access control.

http://zero.webappscurity.com/CustomerAccounts/WebService.asmx?wsdl does not have access controls

 

 

The data for the test web service consists of nine methods that access data for each of the three customer accounts. Data specific to the accounts will be returned through various operations. Like most web services submission of accurate data will be necessary for certain operations to be successful.

 

For users unfamiliar with the web service, the method “ListTestAccounts”  provides sufficient information to identify customer id’s and extract further data out of the web service using the web service test designer.

 

 

 

The web service has three test accounts – details concerning those accounts are described later on this page

 

Click the link below to download a completed design file for scanning the webservice

                http://zero.webappscurity.com/CustomerAccounts/ZeroWS.wsd

 

 

==========================================

Using WebInspect to scan the web service

Consult the WebInspect help file for more detailed information on conducting a web service assessment.

To perform a new assessment of the zero.webappsecurity.com web service using WebInspect

1)      Select New>WebService Scan

2)      Select Configure a Web Service Scan - Enter or select the full path and name of a Web Service Definition Language (WSDL) file http://zero.webappscurity.com/CustomerAccounts/WebService.asmx?wsdl then click NEXT

3)      No network authentication is needed. Update proxy information if necessary and click NEXT

4)      Click Yes to launch the Web Service Test Designer

5)      Within the test designer

  1. Select SOAP operations

                                                                           i.      Use the customer account information below to make populate the relevant field with data

                                                                         ii.      Click the send button to send the request with valid data

                                                                        iii.      Review the operation specific response to determine if the request was successful !!

For successful audits valid data for SOAP operations must be provided

6)      Use check marks to select or deselect methods to include in the service audit

7)      Save the design file & close the designer.

😎      Click Next on scan wizard and finish to start the scan.

 

 

 

Using WebInspect to scan the web service with ws security

Consult the WebInspect help file for more detailed information on conducting a web service assessment.

To perform a new assessment of the zero.webappsecurity.com web service using WebInspect

1)      Select New>WebService Scan

2)      Select Configure a Web Service Scan - Enter or select the full path and name of a Web Service Definition Language (WSDL) file http://zero.webappscurity.com/CustomerAccounts/SecureWebService.asmx?wsdl  then click NEXT

3)      No network authentication is needed. Update proxy information if necessary and click NEXT

4)      Click Yes to launch the Web Service Test Designer

5)      Within the test designer

  1. Select the “WebService” node to access WS security
  2. Place a check next to WS security then input credentials

Username  = 117526532

Password = MyLamePass

Select SOAP operations

 

                                                                           i.      Use the customer account information below to make populate the relevant field with data

                                                                         ii.      Click the send button to send the request with valid data

                                                                        iii.      Review the operation specific response to determine if the request was successful!!

For successful audits valid data for SOAP operations must be provided

6)      Use check marks to select or deselect methods to include in the service audit

7)      Save the design file & close the designer.

😎      Click Next on scan wizard and finish to start the scan.

 

 

 

==========================================

Accounts

Customer Accounts:

 

CustomerName = BillSmith42

Customer id = 20262083

CustomerPIN = 9674

Type= 25, Checking, acct# {1234567891234567}, balance {1982.47}

Type= 37, Savings, acct# {2026208337}, balance {1675.09}

Type= 49, IRA, acct# {2026208349}, balance {42318.79}

 

CustomerName = BobConrad75

Customer id =  20262906

CustomerPIN = 6482

Type= 25, Checking, acct# { 2026290625}, balance {982.71}

Type= 37, Savings, acct# { 2026290637}, balance {634.93}

Type= 59, IRA, acct# { 2026290649}, balance {288367.81}

 

CustomerName = LizRice25

Customer id = 20364000

CustomerPIN = 5891

Type= 25, Checking, acct# {2036400025}, balance {14.47}

Type= 37, Savings, acct# {2036400037}, balance {96.12}

 

Employee Account:

EmployeeID = 117526532

EmployeePass = MyLamePass

 

++++++++++++++++++


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Lolla Absent Member.
Absent Member.

Re: How to scan multiple WSDL files/webs​ervices in WebInspect 10?

Thanks 

 

But it seems that the URL http://zero.webappsecurity.com/customeraccounts/ doesn't exist anymore as i receive the following message 

 

HTTP Status 404 

type Status report

message

description The requested resource is not available.

 

Please, advice if they are moved to another location or there are other WSDLs related to zero.webappsecurity that we can use.

 

Thanks in Advance.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: How to scan multiple WSDL files/webservices in WebInspect 10?

That test target was changed in early 2014.  The old web application was retired to a new host name and its replacement took over the old host name.  So what you once knew as "zero.webappsecurity.com" is now at "legacy.webappsecurity.com".  You will find the old tutorial at "http://legacy.webappsecurity.com/customeraccounts/", and the new web application offers its own web servcies at "http://zero.webappsecurity.com/web-services/".

 

Summary:

 

 

The best method to address a SOAP-based (WSDL) web service is to first review it with the included Web Service Test Designer tool ("WSD").  It may be launched from the Web Service Scan Wizard, but I would suggest running it beforehand from the WebInspect Tools menu.  This WSD tool permits the user to read the WSDL from a URL or as an Import, and then fill out the appropriate Values as needed for proper exercising of the application later.  Multiple WSDL may be pulled into this tool at one time.  The saved output file (*.wsd) from this WSD tool is then used as input for the Web Service Scan Wizard.  Using this input file for a is akin to using the Web Form Editor file during a standard Web Site Scan, to provide the Crawler the appropriate testing values in order to expose more of the attack surface.  The scanner uses this file to run through the application before leveraging its fuzzing attacks.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.