Now let's take a real time example of security testing a web service to be tested: the authentication service.
Web service functionality: The authentication service takes as input, username and password and validates whether the credentials are correct or not.
The test to be configured for this service:
- SQL injection
- XPath injection
- Boundary values scan
Why should we use these? Why the preceding scans only?
Well as we can see, the service is an authentication service and takes as input, username and password. When an attacker attacks this service, it will test techniques to gain unauthorized access to the systems, therefore we use the following attack types to test the service:
- SQL injection
- XPath injection
- Boundary value scans.
Request of the service:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v1="http://xyz/xsd/resource/common/commondefinitions/msf/messagecontext/v1" xmlns:v11="http://xyz/xsd/interface/user/useraccount/useraccountmanagement/mcauthentication/v1"> <soapenv:Header> <v1:MessageContext TimeToLive="?" messageID="?" messageType="?" timestamp="?"> <!--Optional:--> <v1:CorrelationID>?</v1:CorrelationID> <v1:TransactionID>?</v1:TransactionID> <!--Optional:--> <v1:BusinessKey>?</v1:BusinessKey> <!--Optional:--> <v1:ApplicationID>?</v1:ApplicationID> <!--Optional:--> <v1:UserID>?</v1:UserID> <!--Optional:--> <v1:ServiceInstanceID>?</v1:ServiceInstanceID> <!--Optional:--> <v1:SourceProcess>?</v1:SourceProcess> </v1:MessageContext> </soapenv:Header> <soapenv:Body> <v11:AuthenticateRequest> <v11:username>Pranai</v11:username> <v11:password>Nandan</v11:password> <!--You may enter ANY elements at this point--> </v11:AuthenticateRequest> </soapenv:Body> </soapenv:Envelope>
We will now see how we are going to configure the test with a series of screenshots, starting with the one shown following:
Now, to add scans we need to to add SecurityScan as shown in the following figure:
