1. Copyright 2010 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP WS-Attacks.org Project Andreas Falkenberg Project leader WS-Attacks.org Ruhr Uni Bochum, Bochum, Germany andreas.falkenberg@rub.de (+49) (0)178-679511 WS-Attacks.org Project

2. OWASP 2 Its all about web services Web services in todays world Array of technologies to implement: Web APIs B2B applications SOA szenarios Wrap legacy applications Attacks on web services Web services are vulnerable to: all classical web application attacks (SQLi, XSS,..) web service specific attacks (Signature Wrapping,..) Problem: Where to go to for WS specific attacks?

3. OWASP 3 WS-Attacks.org project What does the WS-Attacks.org project offer? First and most comprehensive enumeration of web service specific attack vectors (40+ attacks) Each attack is descriped in detail including: Attack description Attack prerequisities Attack example Countermeasures What does WS-Attacks.org NOT offer? No Description of SQLi, XSS and similar attacks We already have OWASP for this ;-)

4. OWASP 4 Bringing together what belongs together WS-Attacks.org extends OWASP to the web service attack universe Check us out at www.WS-Attacks.orgwww.WS-Attacks.org Write us at: info@ws-attacks.orginfo@ws-attacks.org What can we expect in the future? More web service specific attacks First automated web service attacking framework?? REIN?