Friday, August 18, 2006

Book - Hacking Web Services

Web Services are an integral part of next generation Web applications. The development and use of these services is growing at an incredible rate, and so too are the security issues surrounding them. Hacking Web Services is a practical guide for understanding Web services security and assessment methodologies. Written for intermediate-to-advanced security professionals and developers, the book provides an in-depth look at new concepts and tools used for Web services security. Beginning with a brief introduction to Web services technologies, the book discusses Web services assessment methodology, WSDL -- an XML format describing Web services as a set of endpoints operating on SOAP messages containing information -- and the need for secure coding. Various development issues and open source technologies used to secure and harden applications offering Web services are also covered. Throughout the book, detailed case studies, real-life demonstrations, and a variety of tips and techniques are used to teach developers how to write tools for Web services. If you are responsible for securing your company's Web services, this is a must read resource!

More information

Saturday, January 28, 2006

Releasing 1.5

Following changes are included.

+ Few bugs are solved
+ wspawn is now querying Xmethods. UBRs are closed for Microsoft, IBM etc.
+ wsknight has analysis engine in place. You can supply regex patterns and wsaudit will detect them. It will change color of text. Sample rule file is included.

Wednesday, January 11, 2006

Domain footprinting is branched out into MSNPawn

It is in the form of new tool called MSNPawn.

MSNPawn has been designed and developed on the .Net framework and must be installed on the system. The following utilities have been bundled with MSNPawn.

MSNHostFP - Supply an IP Address or IP Address range to fetch all possible virtual hosts or application running on each IP addresses.

MSNDomainFP - Supply a domain name to fetch the top 50 child domains, considering the supplied domain name as parent.

MSNCrossDomainFP - Supply an application domain to fetch the top 50 domains pointing to this particular domain on the Internet.

MSNCrawler - Supply a domain or application name to fetch all possible links crawled by the search engine.

MSNFetch - Supply a domain and rules file. The tool will run each rule in the file against the domain specified and fetch the first five results of the resultant query. This can help in assessing an application.

Search.MSN - Provides place to run your search against MSN and gather all URLs.

Whitepaper is included for better understanding for all these tools.


[Download paper]

Sunday, August 07, 2005

Releasing beta 1.4

Some bugs are rectified in this build. These bugs were in following areas
1. wsKnight - SOAP action tag in header and host
2. WSsearch - Parsing error
3. Domain footprinting is removed from wspawn and planning to build a seperate tool.

Thanks for reporting bugs. Few more stuff to be added in next build.

Monday, June 06, 2005

Releasing beta 1.3

wsKnight is updated with 4 new audit/attack vectors. This will help in auditing or testing web services.

1. Bruteforcing - One can specify user/pass fields and map it to files. This will launch bruteforcing combinations on the wire.
2. Buffer overflow - Specify parameter and buffer size.
3. LDAP and XPath injection - This is very simple just a different category.

Stay tune more to go.


Tuesday, May 24, 2005

ASP.NET web services advisory

wschess helped in finding this bug in ASP.NET. Recent finding on ASP.NET is posted on security tracker.
Read Here

Tuesday, May 17, 2005

Releasing beta 1.2

Changes are as follows

1. Doamin footprinting is added to wspawn. Methodlogy is discussed in paper [Read]
2. wspawn threading is much more controlled now with option to stop.
3. wspawn's command line is also posted which can run under linux with mono.

Planning to add few more audit/attack modules for xpath,xss,ldap etc in wsknight in next release.