Web Services Testing David Ward. Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years.

Slides:



Advertisements
Similar presentations
Data Source in MicroStrategy
Advertisements

Server Access The REST of the Story David Cleary
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.
Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Cisco SocialMiner: Developer Network Forum 2.
Scale Up Access to your 4GL Application using Web Services
© 2009 Solon Solutions Solon Solutions Web 2.0 access to CICS Jim Hollingsworth.
Web Server Administration
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Deploying an Application on the Cloud Chapter 4. Topics Your experience with Google App Engine and mine with Pop!World Web application Architecture Machine.
Peoplesoft: Building and Consuming Web Services
Describing REST services Ivo Malve Using WSDL to describe REST APIs While WSDL is flexible in service binding options, it did not originally.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Google AppEngine. Google App Engine enables you to build and host web apps on the same systems that power Google applications. App Engine offers fast.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web service testing Group D5. What are Web Services? XML is the basis for Web services Web services are application components Web services communicate.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
Smart Card Single Sign On with Access Gateway Enterprise Edition
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.
ASP. Net is a rich web framework that leverages well known patterns and JavaScript frameworks to build great web experiences quickly.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
What is FORENSICS? Why do we need Network Forensics?
Web application architecture
Lecture 5 – Web Services CSE 490h – Introduction to Distributed Computing, Winter 2008 Except as otherwise noted, the content of this presentation is licensed.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Whois-RWS: A RESTful Web Service for WHOIS Andy Newton, Chief Engineer.
Python and REST Kevin Hibma. What is REST? Why REST? REST stands for Representational State Transfer. (It is sometimes spelled "ReST".) It relies on a.
Intro to WCF From the beginning and uses Steve AppRochester.
Introduction to JMeter Anton Nesterov. User profile  Anton Nesterov  QA Engineer at Sitecore  3+ years of experience in testing automation  Skype:
Asynchronous Interactive Design of Web Applications: Real-time SIP Message Monitoring System using AJAX Student: Yan-Hsiang Wang Advisor: Dr. Quincy Wu.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
Proxy Servers.
Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping.
Web Applications Testing By Jamie Rougvie Supported by.
Integrating and Troubleshooting Citrix Access Gateway.
Module 7: Advanced Application and Web Filtering.
Database as a networked server DB at the centre of the network Network Access Map for DB environment Tracking of tools and apps Remove unnecessary network.
API Crash Course CWU Startup Club. OUTLINE What is an API? Why are API’s useful? What is HTTP? JSON? XML? What is a RESTful API? How do we consume an.
SOAP-based Web Services Telerik Software Academy Software Quality Assurance.
Can SSL and TOR be intercepted? Secure Socket Layer.
Web2.0 Secure Development Practice Bruce Xia
Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.
Ben Robb MVP, SharePoint Server CTO, cScape Ltd Interoperability Overview: All Roads Lead to SharePoint.
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.
CRUCIAL INFORMATION DISSEMINATION ON MODERN VEHICLES Wei Yan, Thomas Edwards Griffith.
Ken De Souza KWSQA, April 2016 V. 1.0
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
The best of WF 4.0 and AppFabric Damir Dobric MVP-Connected System Developer Microsoft Connected System Division Advisor Visual Studio Inner Circle member.
API Security Auditing Be Aware,Be Safe
Understanding SOAP and REST calls The types of web service requests
COMP2322 Lab 1 Wireshark Steven Lee Jan. 25, 2017.
Securing the Network Perimeter with ISA 2004
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
WEB API.
Chapter 3. Basic Dynamic Analysis
Webscarab, an introduction.
Presentation transcript:

Web Services Testing David Ward

Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years

Agenda Web Service Testing Starting Points Security Issues Key Tools Demo IntroSecurityToolsDemo

Web Services Headless web application Programmatic interface (WSDL/WADL) HTTP transport XML/JSON data format Common types SOAP / REST IntroSecurityToolsDemo

Testing Services Services are a contract - API(s) Test the contract (WSDL / WADL) Is the contract consistent? If the contract changes, its a new version IntroSecurityToolsDemo

QA Engineer Profile Programming background Strong personality – developer’s advocate Background developing / testing API(s) Security background Influencer IntroSecurityToolsDemo

Security / Privacy Mark Zuckerberg (Facebook CEO) The age of privacy is over / user information should default to public Eric Schmidt (Google CEO) search engines including Google do retain information for some time… IntroSecurityToolsDemo

Additional Attack Vector Web UI App Server Web Service App Server Database IntroSecurityToolsDemo

Security Standards WS-Security SOAP No formal standards Different approaches - Amazon, Flickr, Google REST IntroSecurityToolsDemo

SOAP: WS-Security missionary_test_client <wsse:Password Type=" profile1.0# PasswordDigest">Q1QSzWSl8JY5AfQykkIoO6hTf3k= iWjprJQjnqHmlh8gSyRweg== T17:32:26.413Z IntroSecurityToolsDemo

REST: Security IntroSecurityToolsDemo No formal security standards Often use SSL - transportation only Proprietary authentication steps – Amazon, Flickr, Google - different approaches Session Management – cookies (Oracle WAM)

Finding the Weak Link SSL – is the window open? Soap’s WS-Security – partially used? Errors – are they too helpful? Interfaces – are they publicized? I’m behind the firewall – everything is great! Obfuscation is weak sauce! Innocent data can be maliciously used IntroSecurityToolsDemo

Testing Tools Rest/Soap Functional Load SoapUI Packet Trace Protocols Filters WireShark Web Apps Services Host Env Appscan Plugins HttpFox TamperData RestClient Firefox IntroSecurityToolsDemo

Wireshark IntroSecurityToolsDemo Protocols Decodes hundreds of protocols Analyze traffic patterns Tracing Live packet capture Offline packet analysis Filters Easily filter on protocols Intuitive analysis Go Deep!

Firefox Plugins IntroSecurityToolsDemo Monitor http traffic View headers View cookies HttpFox Exercise RESTful web services Test endpoints RESTClient Modify post Parameters Modify http headers TamperData 5000 and counting…

SoapUI One Awesome Tool! Project Setup Test Suite Creation Writing Tests Groovy Scripts IntroSecurityToolsDemo

Call To Action Join the LDS Tech community Identify Web Service Projects Start testing!

References SoapUI – Wireshark – Firefox Plugins –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.