Web Services Testing

David Ward

Something To Consider

Eight to Eighty

Information and Communications Systems Department (ICS)

Over 5 years

Agenda

Web Service Testing

Starting Points

Security Issues

Key Tools Demo

Intro Security

Tools Demo

Web Services

• Headless web application

• Programmatic interface (WSDL/WADL)

• HTTP transport

• XML/JSON data format

• Common types SOAP / REST

Intro Security

Tools Demo

Testing Services

• Services are a contract - API(s)

• Test the contract (WSDL / WADL)

• Is the contract consistent?

• If the contract changes, its a new version

Intro Security

Tools Demo

QA Engineer Profile

• Programming background

• Strong personality – developer’s advocate

• Background developing / testing API(s)

• Security background

• Influencer

Intro Security

Tools Demo

Security / Privacy

• Mark Zuckerberg (Facebook CEO) - 2010The age of privacy is over / user information should default to public

• Eric Schmidt (Google CEO) - 2009search engines including Google do retain information for some time…

Intro Security

Tools Demo

Additional Attack Vector

Web UI• App Server

Web Service• App Server Database

Intro Security

Tools Demo

Security Standards

• WS-Security

SOAP

• No formal standards• Different approaches - Amazon, Flickr, Google

REST

Intro Security

Tools Demo

SOAP: WS-Security

<soap:Header> <wsse:Security soap:mustUnderstand="true"

xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<wsse:UsernameToken wsu:Id="UsernameToken-33" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsse:Username>missionary_test_client</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-

profile1.0# PasswordDigest">Q1QSzWSl8JY5AfQykkIoO6hTf3k=</wsse:Password>

<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0# Base64Binary">iWjprJQjnqHmlh8gSyRweg==</wsse:Nonce>

<wsu:Created>2010-05-04T17:32:26.413Z</wsu:Created> </wsse:UsernameToken>

</wsse:Security> </soap:Header>

Intro Security

Tools Demo

REST: Security

Intro Security

Tools Demo• No formal security standards

• Often use SSL - transportation only

• Proprietary authentication steps

– Amazon, Flickr, Google - different approaches

• Session Management – cookies (Oracle WAM)

Finding the Weak Link

• SSL – is the window open?

• Soap’s WS-Security – partially used?

• Errors – are they too helpful?

• Interfaces – are they publicized?

• I’m behind the firewall – everything is great!

• Obfuscation is weak sauce!

• Innocent data can be maliciously used

Intro Security

Tools Demo

Testing Tools

• Rest/Soap• Functional• Load

SoapUI

• Packet Trace• Protocols• Filters

WireShark

• Web Apps• Services• Host Env

Appscan

• Plugins• HttpFox• TamperData• RestClient

Firefox

Intro Security

Tools Demo

Wireshark

Intro Security

Tools Demo

Protocols

•Decodes hundreds of protocols

•Analyze traffic patterns

Tracing

•Live packet capture

•Offline packet analysis

Filters

•Easily filter on protocols

•Intuitive analysis

Go Deep!

Firefox Plugins

Intro Security

Tools Demo

• Monitor http traffic

• View headers• View cookies

HttpFox

• Exercise RESTful web services

• Test endpoints

RESTClient

• Modify post Parameters

• Modify http headers

TamperData

5000 and counting…

SoapUI

One Awesome Tool!

Project Setup

Test SuiteCreation

Writing Tests

Groovy Scripts

Intro Security

Tools Demo

Call To Action

Join the LDS Tech community

Identify Web Service Projects

Start testing!

References

• SoapUI– http://www.soapui.org/

• Wireshark– http://www.wireshark.org/

• Firefox Plugins– https://addons.mozilla.org/en-US/firefox/