Chapter 6. Assessing Web Services
This chapter focuses on the technical execution of web service assessment. These services are commonly accessible in corporate environments and over the Internet, and they require a high level of security assurance due to their public nature. In this chapter I discuss the techniques and tools used to fully test HTTP and HTTPS services, along with their enabled components, subsystems, and any custom-written code that may be present.
Web Services
The assessment of various web services and individual subsystems can fill its own book. Web services run over two protocols: HTTP (found on TCP port 80, and sometimes 81, 8080, and others) and HTTPS (an SSL-enhanced web service usually found on TCP port 443).
Many security consultants run simple CGI scanning tools (such as whisker ) against web services, which doesn’t fully identify and categorize all the risks at hand. In broad terms, professional assessment of web services involves the following five steps:
Identifying the web service running (such as IIS 4.0 or Apache 1.3.27)
Identifying subsystems and enabled components (such as FrontPage Extensions)
Investigating known vulnerabilities in the web service and its enabled components
Identifying and accessing poorly protected sensitive information
Assessing CGI scripts and custom ASP pages running server-side
Automated web service scanning tools, such as nikto (http://www.cirt.net/code/nikto.shtml)[1] and N-Stealth (http://www.nstalker.com/nstealth/), are good at ...
Get Network Security Assessment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.