Web Services Testing
advertisement
Web Services Testing David Ward Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years Agenda Web Service Testing Starting Security Points Issues Key Tools Demo Intro Security Tools Demo Web Services Intro Security Tools Demo • Headless web application • Programmatic interface (WSDL/WADL) • HTTP transport • XML/JSON data format • Common types SOAP / REST Testing Services Intro Security Tools Demo • Services are a contract - API(s) • Test the contract (WSDL / WADL) • Is the contract consistent? • If the contract changes, its a new version QA Engineer Profile Intro Security Tools Demo • Programming background • Strong personality – developer’s advocate • Background developing / testing API(s) • Security background • Influencer Security / Privacy • Mark Zuckerberg (Facebook CEO) - 2010 The age of privacy is over / user information should default to public • Eric Schmidt (Google CEO) - 2009 search engines including Google do retain information for some time… Intro Security Tools Demo Additional Attack Vector Web UI Web Service • App Server • App Server Intro Security Tools Demo Database Security Standards SOAP Intro Security Tools Demo • WS-Security REST • No formal standards • Different approaches - Amazon, Flickr, Google SOAP: WS-Security <soap:Header> <wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> Intro Tools <wsse:UsernameToken wsu:Id="UsernameToken-33" xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>missionary_test_client</wsse:Username> Security Demo <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-tokenprofile1.0# PasswordDigest">Q1QSzWSl8JY5AfQykkIoO6hTf3k=</wsse:Password> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401wss-soap-message-security-1.0# Base64Binary">iWjprJQjnqHmlh8gSyRweg==</wsse:Nonce> <wsu:Created>2010-05-04T17:32:26.413Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> REST: Security Intro Security Tools Demo • No formal security standards • Often use SSL - transportation only • Proprietary authentication steps – Amazon, Flickr, Google - different approaches • Session Management – cookies (Oracle WAM) Finding the Weak Link Intro Security Tools Demo • SSL – is the window open? • Soap’s WS-Security – partially used? • Errors – are they too helpful? • Interfaces – are they publicized? • I’m behind the firewall – everything is great! • Obfuscation is weak sauce! • Innocent data can be maliciously used Testing Tools • Rest/Soap • Functional • Load • Packet Trace • Protocols • Filters SoapUI WireShark • Web Apps • Services • Host Env • Plugins • HttpFox • TamperData • RestClient Appscan Firefox Intro Security Tools Demo Wireshark Go Deep! • Decodes hundreds of protocols Protocols • Analyze traffic patterns Tracing • Live packet capture • Offline packet analysis Filters • Easily filter on protocols • Intuitive analysis Intro Security Tools Demo Firefox Plugins 5000 and counting… Intro Security Tools Demo • Monitor http traffic • View headers • View cookies • Exercise RESTful web services • Test endpoints • Modify post Parameters • Modify http headers HttpFox RESTClient TamperData SoapUI One Awesome Tool! Project Setup Test Suite Creation Writing Tests Intro Security Tools Demo Groovy Scripts Call To Action Start testing! Identify Web Service Projects Join the LDS Tech community References • SoapUI – http://www.soapui.org/ • Wireshark – http://www.wireshark.org/ • Firefox Plugins – https://addons.mozilla.org/en-US/firefox/
