The Zero.webappsecurity.com web services are designed to
demonstrate web service vulnerabilities.
There are two essentially identical webservices
http://zero.webappscurity.com/CustomerAccounts/SecureWebService.asmx?wsdl
is configured to use WS security for access control.
http://zero.webappscurity.com/CustomerAccounts/WebService.asmx?wsdl
does not have access controls
The data for the test web service consists of nine methods that
access data for each of the three customer accounts. Data specific to the
accounts will be returned through various operations. Like most web services
submission of accurate data will be necessary for certain operations to be
successful.
For users unfamiliar with the web service, the method “ListTestAccounts” provides sufficient information to
identify customer id’s and extract further data out of the web service using
the web service test designer.
The web service has three test accounts – details concerning those
accounts are described later on this page
Click the link below to download a completed design file for scanning the webservice
http://zero.webappscurity.com/CustomerAccounts/ZeroWS.wsd
==========================================
Using WebInspect
to scan the web service
Consult the WebInspect help file for more detailed information on
conducting a web service assessment.
To perform a new assessment of the zero.webappsecurity.com web
service using WebInspect
1) Select
New>WebService Scan
2) Select Configure a Web Service Scan - Enter or select the full path and name of a Web Service Definition Language (WSDL) file http://zero.webappscurity.com/CustomerAccounts/WebService.asmx?wsdl then click NEXT
3) No network
authentication is needed. Update proxy information if necessary and click NEXT
4) Click Yes
to launch the Web Service Test Designer
5) Within the
test designer
a. Select
SOAP operations
i.
Use the customer account information below to
make populate the relevant field with data
ii.
Click the send button to send the request with
valid data
iii.
Review the operation specific response to determine
if the request was successful !!
For
successful audits valid data for SOAP operations must be provided
6) Use check
marks to select or deselect methods to include in the service audit
7) Save the
design file & close the designer.
8) Click Next on scan
wizard and finish to start the scan.
Using WebInspect
to scan the web service with ws security
Consult the WebInspect help file for more detailed information on
conducting a web service assessment.
To perform a new assessment of the zero.webappsecurity.com web
service using WebInspect
1) Select
New>WebService Scan
2) Select Configure
a Web Service Scan - Enter or select
the full path and name of a Web Service Definition Language (WSDL) file http://zero.webappscurity.com/CustomerAccounts/SecureWebService.asmx?wsdl
then click NEXT
3) No network
authentication is needed. Update proxy information if necessary and click NEXT
4) Click Yes
to launch the Web Service Test Designer
5) Within the
test designer
a. Select the “WebService” node to access WS security
b. Place a check next to WS security then input credentials
Username
= 117526532
Password =
MyLamePass
i. Use the customer account information below to make populate the relevant field with data
ii. Click the send button to send the request with valid data
iii. Review the operation specific response to determine if the request was successful!!
For
successful audits valid data for SOAP operations must be provided
6) Use check
marks to select or deselect methods to include in the service audit
7) Save the
design file & close the designer.
8) Click Next on scan
wizard and finish to start the scan.
==========================================
Accounts
Customer Accounts:
CustomerName =
BillSmith42
Customer id = 20262083
CustomerPIN = 9674
Type= 25, Checking, acct# {1234567891234567}, balance {1982.47}
Type= 37, Savings, acct# {2026208337}, balance
{1675.09}
Type= 49,
IRA, acct# {2026208349}, balance
{42318.79}
CustomerName =
BobConrad75
Customer id = 20262906
CustomerPIN = 6482
Type= 25, Checking, acct# { 2026290625}, balance {982.71}
Type= 37, Savings, acct# {
2026290637}, balance {634.93}
Type= 59,
IRA, acct# { 2026290649}, balance {288367.81}
CustomerName =
LizRice25
Customer id = 20364000
CustomerPIN = 5891
Type= 25, Checking, acct# {2036400025}, balance {14.47}
Type= 37, Savings, acct# {2036400037}, balance
{96.12}
Employee Account:
EmployeeID =
117526532
EmployeePass = MyLamePass