Hi,
Please find the compilation of tools I received for this question below.
Thanks for your responses.
Sebastien
One interesting remark on "even less secure" development/deployment of
Web Services
An interesting note too, the SOAP apps I've audited tend to come out
with even more (and more serious) issues than web
apps. I haven't done a ton of SOAP audits by any means, but I'm
getting the general impression that security awareness
on that side is even lower than on the web side. Has anyone else been
seeing that ?
An explanation for this can be that due to the more complex security
models of J2EE and .NET a lot of the increased security 'out-of-the-box'
is lost by developer/operations ignorance and lack of knowledge.
List:
WebScarab is one such intercept tool that you could use:
(http://www.owasp.org/software/webscarab.html)
Alternatively this link lists various web proxies with their
differences. http://dawes.za.net/rogan/exodus/comparison.php
Also see
http://www.professionalsecuritytesters.org/modules.php?name=News&new_top
ic=16, an index of WebProxies
XMLSPY is a commercial product available at
http://www.xmlspy.com/features_soap.html
There is a SOAP add-on version of ethereal created by Westbridge that is
free. I have used it several times successfully to monitor, and conduct
assessments - The link is
http://www.westbridgetech.com/soapmonitordownload.html
Vordel SOAPbox A FREE Web Services security test tool:
http://www.vordel.com/soapbox/index.html
other links/tools:
http://www.spidynamics.com/products/security/toolkit/
SPI Dynamics (http://www.spidynamics.com) has a couple of commercial
tools that allow both automated, and manual assessment of SOAP
Applications.
SOAP Editor (Part of the SPI Toolkit)
"SPI Dynamics' SOAP Editor is used to generate Simple Object Access
Protocol (SOAP) requests automatically, and to manually edit SOAP
requests and responses."
http://www.spidynamics.com/products/Comp_Audit/toolkit/soap.html
SPI Proxy (Part of the SPI Toolkit)
"SPI Dynamics' SPI Proxy is a stand-alone, self-contained proxy server
that you can configure and run on your desktop. "
http://www.spidynamics.com/products/Comp_Audit/toolkit/proxy.html
Webinspect
"Enterprises with Web services implementations can automatically assess
a Web service by discovering all XML input parameters and performing
parameter manipulation on each XML field looking for vulnerabilities
within the service itself."
http://www.spidynamics.com/products/QA/WI/index.html
article
http://archives.neohapsis.com/archives/sf/pentest/2003-11/0073.html
Sanctum:
http://www.sanctuminc.com/solutions/appscanaud/features/index.html
none soap specific per se but great at acting as a man in the middle for
altering/inspection:
Achilles at http://achilles.mavensecurity.com/
burp proxy at http://www.portswigger.net/proxy/help.html
for a bit more indepth but open source - spike proxy
http://www.immunitysec.com/resources-freesoftware.shtml
oops.. forgot fiddler in that list as well
http://www.bayden.com/fiddler/
Sebastien Deleersnyder wrote:
Hi,
Are there any open-source / commercial tools available for inspection
/ modification of SOAP traffic to perform audits on its security?
I am thinking of a local proxy-like program through which SOAP traffic
is channeled by e.g. modifying localhost : redirect traffic destined
for target.com to 127.0.0.1 The tool would allow for changing the SOAP
content both in the request/reply.
I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS
protects against sniffing.
