What are the steps to testing a SOAP Web Service using IBM Security AppScan Standard?
Testing a (SOAP) Web Service using AppScan Standard differs slightly to testing a normal Web Application. Whilst the test phase is much the same, the explore phase however takes place in a separate client called the Generic Services Client (GSC).
For testing REST Web Services consult technote How to scan REST Web Services.
To properly test a Web Service, it is necessary to have some good test data (for example, SOAP Envelopes) for the service methods. It is typically best to source this from the Web Service test data when possible, preferably test data that will result in a good/positive return from the method invocation.
The other thing that is typically necessary, is the Web Services Description Language (WSDL) file/URL, which describes the method declarations for the service.
Once the WSDL file/URL and test data is obtained, testing the service generally uses this procedure:
- In Rational AppScan Standard, create a new Regular Scan template (File > New...).
- In the Scan Configuration Wizard, select the type of scan as 'Web Service Scan' then click Next.
- For the WSDL URL, enter the URL from which the WSDL can be obtained. A sample Web Service is present on the demo Altoromutual site using the WSDL URL http://www.altoromutual.com/transfer/transfer.asmx?wsdl . Once entered, click Next.
- The Test Policy should use the "Web Services" policy, as this contains the tests specifically useful for Web Services testing. Once selected, click Next.
- On the final Wizard screen, click Finish.
When the GSC client launches, the WSDL is automatically imported, thus should include the Methods present from the WSDL in the Call Library list similar to this:
If this has not occurred, then add the WSDL using this button, .
Once the methods are available, it is now possible to start invoking these methods to generate the requests with which Rational AppScan Standard will modify in order to deliver the various attack vectors to the Web Service method in order to test for vulnerabilities.
Testing the method is fairly straight forward and follows the following steps:
- Enter in the test data, either through the 'Form', 'Tree', or 'Source' views of the Edit Data step. An example of this for the TransferBalance method of the demo Web Service is:
- With the test data completed, next select the "Invoke" button.
- Verify that the Response from the Web Service was as per expectation, for example:
- This is all that is required in order to include this method in the test run. Steps 1-3 should be repeated for each method to be tested.
- When all of the methods to be tested have been invoked and return good responses, simply close the GSC Tool to complete the exploration.
- When the GSC Tool closes, Rational AppScan Standard will process the URLs that were explored adding these to the site tree, for example:
- Finally all that is now required is to initiate testing. This is achieved through Scan > Test Only in the Rational AppScan Standard GUI.
During the scan, the vulnerabilities found will be reported in exactly the same way as if a regular Web Application scan was being performed.
Short demos of using AppScan with GSC are here:
- http://www.youtube.com/watch?v=SCCq81QRSCM (an older video)
NOTE: If you received a task to test Web Services with AppScan, you may ask the Web Services development if they have SOAP request files that they used to test the functionality of the services. You may use them by copying them to the GSC toot (to the "Source" tab).