I will be presenting “Don’t Drop the SOAP: Real World Web Service Testing for Web Hackers” at Black Hat USA and DEFCON 19 in Las Vegas next week with fellow security researchers Joshua “Jabra” Abraham and Kevin Johnson. In our talk we will discuss the issues of testing web services and some of the new attacks in modern web services. We are scheduled to speak at 10 a.m., Thursday, August 4 at Black Hat USA and at 10 a.m., Saturday, August 6 at DEFCON 19.
In our research, we found web services haven’t gotten the attention they deserve from the security community in the last several years. Penetration testers have struggled with how to test web services properly, and wrangled with poor tools and outdated testing methodologies. Unfortunately, developers have gotten ahead of us and have developed very good functional testing tools and methods to keep up with the technology. Of course these tools account for only functional testing, and many developers don’t even think of testing the security of these services. This talk aims to change that!
In our talk we will release a new testing methodology that will be integrated into the new version of the OWASP Testing Guide, as well as some new tools and an open source vulnerable web service that can be used by penetration testers to test web service tools and testing techniques. This code will be part of the DVWA (Damn Vulnerable Web Application) testing suite. DVWA also is included as part of the Samurai WTF (Web Testing Framework) Live CD. In addition, we will talk about some of the new web service technology such as WCF (Windows Communication Foundation), Microsoft Silverlight, and BPEL. Lastly, we will release some new web service testing modules for the Metasploit Framework as well as a very detailed white paper with the new testing methodology. Our white paper will be posted shortly after the talk at Black Hat USA on Thursday in our white paper section. UPDATE (8/4): The white paper can be downloaded here.
See you in Vegas!