Why Web Services Penetration Testing?

While web services can present similar vulnerabilities to web applications, they also have unique vulnerabilities specific to the format of the service. In most cases, testing exercise is a manual process involving multiple phases, each tailored to the nature and purpose of your service.

Although automated software forms part of our toolset, we believe that there is no substitute for an intelligent, experienced and informed approach using skills honed over many years and hundreds of tests.

  • Initially the service will be tested from an unauthenticated (anonymous) perspective to simulate an opportunistic attack. If authentication is required to access the service this will be tested.

  • Manual testing will be conducted to cover the nine key areas listed below

  • We will also vulnerability scan the underlying web service platform for flaws that may not be apparent at the application layer

  • All identified vulnerabilities are verified to remove false positives and are exploited to demonstrate the real risks and impact of an attack


Our test methodology has been informed by:

  • The Open Web Application Security Project (OWASP)

  • The ISO 27001 standard, particularly the sections relating to publicly available information

  • Guidance offered by manufacturers and trusted third parties



Our technical approach focuses on nine key areas:

  • Information Gathering Determine Web Service entry points and the communication schema

  • Configuration Management SSL/TLS testing, backup and unreferenced files, admin interfaces, HTTP methods, cross-site tracing

  • WSDL Testing Attempt to use discovered entry points to retrieve sensitive information

  • XML Structural Testing Check the structure of the XML data to ensure it works as expected. Attempt to send malformed XML data in order to expose sensitive data

  • XML Content Testing Check for the presence of non-filtered input, which may lead to SQL injection or cross-site scripting vulnerabilities

  • HTTP GET/REST Testing if the service is RESTful we will examine the HTTP requests and responses for vulnerabilities

  • SOAP Attachment Testing if SOAP attachments are allowed, check for file upload vulnerabilities

  • Replay Testing Attempt to use replay attacks to impersonate valid users of the service

  • Server Configuration Identify management services, TCP and UDP services, security vulnerabilities

  • LinkedIn - White Circle
  • w-facebook