Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Testing David Ward. Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years.

Published byAlaina Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Services Testing David Ward. Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years."— Presentation transcript:

1 Web Services Testing David Ward

2 Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years

3 Agenda Web Service Testing Starting Points Security Issues Key Tools Demo IntroSecurityToolsDemo

4 Web Services Headless web application Programmatic interface (WSDL/WADL) HTTP transport XML/JSON data format Common types SOAP / REST IntroSecurityToolsDemo

5 Testing Services Services are a contract - API(s) Test the contract (WSDL / WADL) Is the contract consistent? If the contract changes, its a new version IntroSecurityToolsDemo

6 QA Engineer Profile Programming background Strong personality – developer’s advocate Background developing / testing API(s) Security background Influencer IntroSecurityToolsDemo

7 Security / Privacy Mark Zuckerberg (Facebook CEO) - 2010 The age of privacy is over / user information should default to public Eric Schmidt (Google CEO) - 2009 search engines including Google do retain information for some time… IntroSecurityToolsDemo

8 Additional Attack Vector Web UI App Server Web Service App Server Database IntroSecurityToolsDemo

9 Security Standards WS-Security SOAP No formal standards Different approaches - Amazon, Flickr, Google REST IntroSecurityToolsDemo

10 SOAP: WS-Security missionary_test_client <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token- profile1.0# PasswordDigest">Q1QSzWSl8JY5AfQykkIoO6hTf3k= iWjprJQjnqHmlh8gSyRweg== 2010-05-04T17:32:26.413Z IntroSecurityToolsDemo

11 REST: Security IntroSecurityToolsDemo No formal security standards Often use SSL - transportation only Proprietary authentication steps – Amazon, Flickr, Google - different approaches Session Management – cookies (Oracle WAM)

12 Finding the Weak Link SSL – is the window open? Soap’s WS-Security – partially used? Errors – are they too helpful? Interfaces – are they publicized? I’m behind the firewall – everything is great! Obfuscation is weak sauce! Innocent data can be maliciously used IntroSecurityToolsDemo

13 Testing Tools Rest/Soap Functional Load SoapUI Packet Trace Protocols Filters WireShark Web Apps Services Host Env Appscan Plugins HttpFox TamperData RestClient Firefox IntroSecurityToolsDemo

14 Wireshark IntroSecurityToolsDemo Protocols Decodes hundreds of protocols Analyze traffic patterns Tracing Live packet capture Offline packet analysis Filters Easily filter on protocols Intuitive analysis Go Deep!

15 Firefox Plugins IntroSecurityToolsDemo Monitor http traffic View headers View cookies HttpFox Exercise RESTful web services Test endpoints RESTClient Modify post Parameters Modify http headers TamperData 5000 and counting…

16 SoapUI One Awesome Tool! Project Setup Test Suite Creation Writing Tests Groovy Scripts IntroSecurityToolsDemo

17 Call To Action Join the LDS Tech community Identify Web Service Projects Start testing!

18 References SoapUI – http://www.soapui.org/ Wireshark – http://www.wireshark.org/ Firefox Plugins – https://addons.mozilla.org/en-US/firefox/

Download ppt "Web Services Testing David Ward. Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years."

Similar presentations

Data Source in MicroStrategy

Data Source in MicroStrategy
Server Access The REST of the Story David Cleary

Server Access The REST of the Story David Cleary
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.

1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.

Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.

Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.
Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.

Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Cisco SocialMiner: Developer Network Forum 2.

© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public Cisco SocialMiner: Developer Network Forum 2.
Scale Up Access to your 4GL Application using Web Services

Scale Up Access to your 4GL Application using Web Services
© 2009 Solon Solutions Solon Solutions Web 2.0 access to CICS Jim Hollingsworth.

© 2009 Solon Solutions Solon Solutions Web 2.0 access to CICS Jim Hollingsworth.
Web Server Administration

Web Server Administration
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Deploying an Application on the Cloud Chapter 4. Topics Your experience with Google App Engine and mine with Pop!World Web application Architecture Machine.

Deploying an Application on the Cloud Chapter 4. Topics Your experience with Google App Engine and mine with Pop!World Web application Architecture Machine.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Describing REST services Ivo Malve 23.03.2015. Using WSDL to describe REST APIs While WSDL is flexible in service binding options, it did not originally.

Describing REST services Ivo Malve Using WSDL to describe REST APIs While WSDL is flexible in service binding options, it did not originally.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Similar presentations

Ads by Google