With shift to web services, where we are relying on client to secure stuff, we have to remember not to trust the client.

Gave a methodology for testing web services:

• Service discovery:
• Look for WSDL or similar files that contain service info, using search engines, site spidering or looking at app behaviour
• Method discovery:
• Look inside the WSDL to see what methods are available, or if there isn't one, you can brute force the webservice with common method names to find ones that exist.
• OWASP top 10. These still all apply to web service calls, including:
• Malicious file execution, insecure direct object reference,
• CSRF with AJAX clients
• Information leakage
• Broken auth and session mgmt
• Insecure crypto storage
• Insecure communications - SSL is important
• Failure to restrict URL access - protect admin etc web services from anonymous access
• Web service specific tests:
• XML issues (external entities, malformed XML, recursive XML, XML entity expansion, XML attribute blowup, overlarge XML and CDATA injection)
• Can find out details inside the secure network, and CSRF etc machines in there.
• WS-Routing issues
• WS-Security is not a panacea - secures the method integrity and confidentiality, but doesn't stop bad stuff coming through.

Tools shown:

• SIFT web method search tool - brute force the web service to find out which methods are supported.
• Foundstone WS Digger - automate attacks against web services (XSS, SQL, Xpath etc)
• Webscarab - to modify XML posted to web services and try connecting to external entities