Copyright 2010 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP WS-Attacks.org Project Andreas Falkenberg Project leader WS-Attacks.org Ruhr Uni Bochum, Bochum, Germany (+49) (0) WS-Attacks.org Project

OWASP 2 Its all about web services Web services in todays world Array of technologies to implement: Web APIs B2B applications SOA szenarios Wrap legacy applications Attacks on web services Web services are vulnerable to: all classical web application attacks (SQLi, XSS,..) web service specific attacks (Signature Wrapping,..) Problem: Where to go to for WS specific attacks?

OWASP 3 WS-Attacks.org project What does the WS-Attacks.org project offer? First and most comprehensive enumeration of web service specific attack vectors (40+ attacks) Each attack is descriped in detail including: Attack description Attack prerequisities Attack example Countermeasures What does WS-Attacks.org NOT offer? No Description of SQLi, XSS and similar attacks We already have OWASP for this ;-)

OWASP 4 Bringing together what belongs together WS-Attacks.org extends OWASP to the web service attack universe Check us out at Write us at: What can we expect in the future? More web service specific attacks First automated web service attacking framework?? REIN?