On Monday 22 July 2002 23:56, James Fleming wrote:
> I have read the WS-Security proposed specs etc but
> haven't really seen any discussions or read any good
> info about web services security vulnerabilities.

The "Hacking Exposed: Web Applications" book contains a small section on
web services, mostly a description of the UDDI protocol and the use of
the "self-documenting" ?wsdl and ?disco options in .Net web services.

I briefly touched on them during my Cansecwest 2002 presentation:

http://www.digitaloffense.net/confs/core02/slides/

> Do any tools check for those problems or audit any
> webservices directories yet ?

Nothing available that I know of, the tools I wrote are nowhere near ready
for a public release. The protocols themselves are fairly simply, you can
consider it a web application where all the variable names and types are
publicly available. Services implemented using the .Net framework are
about as easy as it gets to mess with, just browsing to the .asmx file
will spit back a ton of information about the application and direct
links to all functions available from it. The UDDI implementations I have
seen offer little or no authentication features for registration of
services. Its possible to overwrite a "registered" service entry with
your own application and then process all requests in its place...

-HD

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]