The Zero.webappsecurity.com web services are designed to demonstrate web service vulnerabilities.

There are two essentially identical webservices  

                http://zero.webappscurity.com/CustomerAccounts/SecureWebService.asmx?wsdl is configured to use WS security for access control.

http://zero.webappscurity.com/CustomerAccounts/WebService.asmx?wsdl does not have access controls

 

 

The data for the test web service consists of nine methods that access data for each of the three customer accounts. Data specific to the accounts will be returned through various operations. Like most web services submission of accurate data will be necessary for certain operations to be successful.

 

For users unfamiliar with the web service, the method “ListTestAccounts  provides sufficient information to identify customer id’s and extract further data out of the web service using the web service test designer.

 

 

 

The web service has three test accounts – details concerning those accounts are described later on this page

 

Click the link below to download a completed design file for scanning the webservice

                http://zero.webappscurity.com/CustomerAccounts/ZeroWS.wsd

 

 

==========================================

Using WebInspect to scan the web service

Consult the WebInspect help file for more detailed information on conducting a web service assessment.

To perform a new assessment of the zero.webappsecurity.com web service using WebInspect

1)      Select New>WebService Scan

2)      Select Configure a Web Service Scan - Enter or select the full path and name of a Web Service Definition Language (WSDL) file http://zero.webappscurity.com/CustomerAccounts/WebService.asmx?wsdl then click NEXT

3)      No network authentication is needed. Update proxy information if necessary and click NEXT

4)      Click Yes to launch the Web Service Test Designer

5)      Within the test designer

a.       Select SOAP operations

                                                                           i.      Use the customer account information below to make populate the relevant field with data

                                                                         ii.      Click the send button to send the request with valid data

                                                                        iii.      Review the operation specific response to determine if the request was successful !!

For successful audits valid data for SOAP operations must be provided

6)      Use check marks to select or deselect methods to include in the service audit

7)      Save the design file & close the designer.

8)      Click Next on scan wizard and finish to start the scan.

 

 

 

Using WebInspect to scan the web service with ws security

Consult the WebInspect help file for more detailed information on conducting a web service assessment.

To perform a new assessment of the zero.webappsecurity.com web service using WebInspect

1)      Select New>WebService Scan

2)      Select Configure a Web Service Scan - Enter or select the full path and name of a Web Service Definition Language (WSDL) file http://zero.webappscurity.com/CustomerAccounts/SecureWebService.asmx?wsdl  then click NEXT

3)      No network authentication is needed. Update proxy information if necessary and click NEXT

4)      Click Yes to launch the Web Service Test Designer

5)      Within the test designer

a.       Select the “WebService” node to access WS security

b.      Place a check next to WS security then input credentials

Username  = 117526532

Password = MyLamePass

c.       Select SOAP operations

                                                                           i.      Use the customer account information below to make populate the relevant field with data

                                                                         ii.      Click the send button to send the request with valid data

                                                                        iii.      Review the operation specific response to determine if the request was successful!!

For successful audits valid data for SOAP operations must be provided

6)      Use check marks to select or deselect methods to include in the service audit

7)      Save the design file & close the designer.

8)      Click Next on scan wizard and finish to start the scan.

 

 

 

==========================================

Accounts

Customer Accounts:

 

CustomerName = BillSmith42

Customer id = 20262083

CustomerPIN = 9674

Type= 25, Checking, acct# {1234567891234567}, balance {1982.47}

Type= 37, Savings, acct# {2026208337}, balance {1675.09}

Type= 49, IRA, acct# {2026208349}, balance {42318.79}

 

CustomerName = BobConrad75

Customer id =  20262906

CustomerPIN = 6482

Type= 25, Checking, acct# { 2026290625}, balance {982.71}

Type= 37, Savings, acct# { 2026290637}, balance {634.93}

Type= 59, IRA, acct# { 2026290649}, balance {288367.81}

 

CustomerName = LizRice25

Customer id = 20364000

CustomerPIN = 5891

Type= 25, Checking, acct# {2036400025}, balance {14.47}

Type= 37, Savings, acct# {2036400037}, balance {96.12}

 

Employee Account:

EmployeeID = 117526532

EmployeePass = MyLamePass