Web Services Penetration Testing Part 3: Automation with AppScan and Webinspect
In the previous article, we discussed the importance of tools in penetration testing, how automation helps in reducing time and effort, and how to automate web services penetration testing using soapUI Pro.
In this article, we will be focusing on what other options are available to automate web services penetration testing.
To perform web services penetration testing, soapUI Pro is one of the best options, but in certain conditions you might search for other options: For example, you are not into regular web services penetration testing. or your budget is very low for a penetration testing that consists of web application penetration testing along with web services penetration testing, or you don’t have much experience in performing web services penetration testing.
For these conditions, you need something that comes as a package. A tool for web application penetration testing as well as web services penetration testing. A tool where you just click next, next, next, and it will provide you the result of web services penetration testing. A tool where you can throw the WSDL and get the result. You might choose one of these very popular web application penetrations testing tools, IBM AppScan or HP WebInspect.
IBM Security AppScan (http://www-03.ibm.com/software/products/us/en/appscan/) is one of the most popular and widely used automation tools in the arena of web application penetration testing. It allows penetration testers to automate their web application penetration testing to find out the vulnerabilities present in the application. Most penetration testers use it for only web application penetration testing but it can be also used to test web services to identify the vulnerabilities present. Now we will focus on how web services penetration testing is done by IBM Security AppScan.
Testing Web Services Using AppScan
Testing a Web Service using AppScan differs slightly from testing a normal web application because AppScan uses a separate client to explore the web services. That separate client is called the Generic Services Client (GSC).
Generic Service Client (GSC)
It uses the WSDL file of a web service to display the individual methods available in a tree format, and it creates a user-friendly GUI for sending requests to the service. You can use this interface to select methods, one by one, and to input the required values of the parameters. Simultaneously you can also send the request to the server to view the results in the form of the response. These processes are recorded by AppScan and later used to create test cases based on the number of requests made by the GSC for the service.
You need to configure AppScan properly with the required options to perform a web services penetration test. As we learned from “Web Services Penetration Testing Parts 1 and 2,” we need a WSDL file or URL to perform web services penetration testing properly. We will test the web services of http://www.testfire.net/bank/ws.asmx?WSDL. It’s always better to have sample test data (SOAP requests and responses) to test web services properly but, since we are performing black box testing, we will provide the format of data needed to perform the testing.
Open AppScan to start the web services penetration testing. AppScan will start with the window shown in Figure 1.
Figure 1: New Window
This window will show the recent scans and the option to “Create New Scan.” Click on that option. The “New Scan” window will open, as shown in Figure 2.
Figure 2: New Scan Window
This “New Scan” window will show the “Recent Templates” used and also option to select one of the “Predefined Templates.” Select “Regular Scan” from the “Predefined Templates.” By clicking on the “Regular Scan” template, the “Scan Configuration Wizard” window will open, as shown in Figure 3.
Figure 3: Scan Configuration Window
In the “Scan Configuration Wizard,” select “Web Services Scan” and click on “Next” to open a window where you need to provide the WSDL file or WSDL URL, as shown in Figure 4.
Figure 4: URL and Servers Window
If you need to configure any additional settings for proxy or HTTP authentication, you can configure them here, but to test the web services, I will continue with the default settings, as shown in Figure 5.
Figure 5: URL and Servers Window
Click on “Next” to open the “Test Policy” window, as shown in Figure 6.
Figure 6: Test Policy Window
Here you will find a predefined policy present to test SOAP-related tests, i.e., “Web Services.” Select “Web Services.” If you want to check what are the test cases associated with this policy, just click on the “Full Scan Configuration” link, which is in the left bottom corner of this window, under “General Tasks.” Clicking on the “Full Scan Configuration” link will open a new “Full Scan Configuration” window, as shown in Figure 7.
Figure 7: Full Scan Configuration Window
Select the “Test Policy” tab, which is on the left side of the window under “TEST,” to view the test cases included in this Web Services policy. Under the “No Grouping” option when you start exploring the test cases, you will see three types of buttons:
Below mentioned are some of the classes of test cases included in this policy.
XML External Entities
Cross Site Scripting
Abuse of functionality
Remote File Inclusion
Null Byte Injection
Insufficient Session Expiration
Insufficient Transport Layer Protection
HTTP Response Splitting
After exploring the test cases included, click on “OK” to close the full scan configuration window, then click on “Next” to complete the configuration wizard and it will open a new window, as shown in Figure 9.
Figure 9: Complete Scan Configuration Window
This window shows that you have successfully completed the scan configuration wizard and also provides information how to start the test by exploring web services methods using GSC. Click on “Finish” to launch GSC, where GSC will import all the methods available in the provided WSDL file as shown in Figure 10.
Figure 10: GSC Window
This GSC shows all the imported methods under “Request Library.” Now you need to edit each method request and provide a value for the required parameter with the required data type in the edit request option, as shown in Figure 11.
Figure 11: GSC
I selected the “IsValidUSer” method and clicked on the “UserId” parameter. It requires a string datatype value. Now provide a string datatype value and invoke the request. I provided the value 1 and clicked on the “Invoke” button; the response I got is shown in Figure 12.
Figure 12: GSC Request Editor
Similarly select all the methods, put the required data type value in the parameters, and invoke the requests one by one. After completion of all the invocation of requests, close the GSC window. Now AppScan will record all the requests and generate the test cases to start web services penetration testing, as shown in Figure 13.
Figure 13: AppScan Test Window
As you can see, AppScan fetched all the requests from GSC request history and is all set to start the test. Just click on the “Test Only” option in the top left corner to start the test. After completion of all test cases, you will get the result in AppScan, as shown in Figure 14.
Figure 14: AppScan Result
Here are the results of the web service scan using AppScan. Now you can use AppScan to test any web service to discover the vulnerabilities present. And you need to verify it manually to avoid False-positive.
HP WebInspect (http://www8.hp.com/in/en/software-solutions/software.html?compURI=1341991) is another very popular tool for web application penetration testing. It uses real-world hacking techniques and attacks to thoroughly analyze your web applications and web services to identify security vulnerabilities. It contains some features in web services penetration testing that make it one of the popular black box web services penetration testing tools. Now we will focus on how to test web services using HP WebInspect.
Open WebInspect and you will find its start page containing “Recently Opened Scans,” “Scans Scheduled for Today,” “WebInspect Messages,” “What’s new in WebInspectxx.x!” (where “xx.x” is the version of WebInspect you are using), along with options to start a new scan, as shown in Figure 15.
Figure 15: WebInspect Start Page
Click on “Start a Web Service Scan,” which will open a “Web Service Scan Wizard,” as shown in Figure 16.
Figure 16: Web Service Scan Window
Select “Configure a Web Service Scan” and in the space for “WSDL Location” insert your WSDL URL. In my case, I am using the same http://www.testfire.net/bank/ws.asmx?WSDL. And in “Scan Name” enter a name. I am using testfire, as shown in Figure 17.
Figure 17: Web Service Scan Window
Click on “Next” to get the “Authentication and Connectivity” window, where you have to provide all the required details, as shown in Figure 18.
Figure 18: Authentication and Connectivity Window
As in our case we don’t need any “Network Proxy” or “Network Authentication,” uncheck the “Network Proxy” option, as shown in Figure 19.
Figure 19: Authentication and Connectivity Window
Click on “Next” to open the next window, which contains “Detailed Scan Configuration” but, before that you will be prompted with a pop-up, “Would you like to launch the Web Service Test Designer Now?”, as shown in Figure 20.
Figure 20: Web Service Test Design Prompt
Click on “Yes” to open a new “Web Services Test Designer” window. This window contains all the methods in the provided WSDL file in the top left corner. If you want to add other methods or want to remove any methods, just check or uncheck that method, as shown in Figure 21.
Figure 21: Web Service Test Designer Window
I mentioned earlier that WebInspect is a popular black box web services testing tool and here is the reason: It not only imports all the methods from the WSDL but also fills in the values of required data types in the parameter. So, as a pen tester, you just need to provide a valid WSDL to WebInspect and it will do the rest of the things for you, unlike the other tools, where you need to manually insert data in each method. There is one limitation: Sometimes WebInspect is unable to fill in the proper data type in a required parameter and is unable to detect that method. In our case, WebInspect is unable to detect the IsValidUser method, so a red cross is displayed at the right side of that method.
Now close the “Web Services Test Designer” window. It will prompt you to save the designer file. Click on “Yes” and save it by providing a name for your test designer file in your computer. I saved it as test4. And you will get the name auto set in the names field in Detailed Scan Configuration window as shown in Figure 22.
Figure 22: Detailed Scan Configuration Window
You can see other settings in the same window. If you want any customized settings, you can enable them but, in this case, I am proceeding with the default settings. Click on “Next” to complete the wizard, as shown in Figure 23.
Figure 23: Web Services Scan Wizard Final Window
You will get a congratulation message there. Now click on “Scan” to start the scan. WebInspect will scan the web service and provide you with the vulnerability report, as shown in Figure 24.
Figure 24: WebInspect Result
Here the results of the web service scan are displayed. Now you can use WebInspect to test any web service, especially black box, to discover the existing vulnerabilities and you need to verify it manually to avoid false-positives.
Any automated tool will help you to get good results from a penetration testing and will reduce your time and effort, but it’s always better to use them just for coverage and focus more on manual testing, because automated tools can provide false positives and false negatives as well.