This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Web Service Security Testing Cheat Sheet"
Line 6: | Line 6: | ||
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | ||
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | ||
− | |||
__TOC__{{TOC hidden}} | __TOC__{{TOC hidden}} | ||
− | + | = Web Services Security Testing Cheat Sheet Introduction = | |
− | |||
− | |||
<p>As Web Services are incorporated into application environments, having a good checklist while performing security assessments can help a penetration tester better identify web service related vulnerabilities and associated risk.</p> | <p>As Web Services are incorporated into application environments, having a good checklist while performing security assessments can help a penetration tester better identify web service related vulnerabilities and associated risk.</p> |
Revision as of 19:32, 4 August 2015
Last revision (mm/dd/yy): 08/4/2015 Web Services Security Testing Cheat Sheet IntroductionAs Web Services are incorporated into application environments, having a good checklist while performing security assessments can help a penetration tester better identify web service related vulnerabilities and associated risk. PurposeThis document is intended to be an easy to use checklist while performing assessments against web services. The penetration tester is advised to incorporate this into his or her corporate testing methodology as a supplemental checklist or is free to use this checklist as the sole testing guideline. ChecklistPre-Assessment
Information Gathering
Testing Phase
Testing REST Based Web ServicesThere is already a great cheat sheet on how to properly test the security of REST based web services. You can find the guide at the following location: Testing SummaryWhile using automated tools, the penetration tester will need to validate all reported findings manually and perform due diligence false positive analysis for each vulnerability reported. During the manual phase of testing, the penetration tester will look for the existence of vulnerabilities missed by the automated tools and will validate automated tool output as necessary. References[2] http://www.securestate.com/Insights/Documents/WhitePapers/Dont-Drop-the-SOAP-Whitepaper.pdf Additional ResourcesBelow are resources to help the tester learn and refine their ability to effectively test various web services. Virtual Machines
Online Resources
Primary Author
Contributing Editors/Authors
Other Cheatsheets |