1 / 18

Web Services Testing

Web Services Testing. David Ward. Something To Consider. Eight to Eighty. Information and Communications Systems Department (ICS) Over 5 years. Agenda. Web Services. Headless web application Programmatic interface (WSDL/WADL) HTTP transport XML/JSON data format

sven
Download Presentation

Web Services Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services Testing David Ward

  2. Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years

  3. Agenda

  4. WebServices • Headless web application • Programmatic interface (WSDL/WADL) • HTTP transport • XML/JSON data format • Common types SOAP / REST

  5. TestingServices • Services are a contract - API(s) • Test the contract (WSDL / WADL) • Is the contract consistent? • If the contract changes, its a new version

  6. QAEngineer Profile • Programming background • Strong personality – developer’s advocate • Background developing / testing API(s) • Security background • Influencer

  7. Security / Privacy • Mark Zuckerberg(FacebookCEO) - 2010 The age of privacy is over / user information should default to public • Eric Schmidt(Google CEO) - 2009 search engines including Google do retain information for some time…

  8. Additional Attack Vector

  9. SecurityStandards

  10. SOAP: WS-Security <soap:Header> <wsse:Securitysoap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameTokenwsu:Id="UsernameToken-33" xmlns:wsu="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:Username>missionary_test_client</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token- profile1.0# PasswordDigest">Q1QSzWSl8JY5AfQykkIoO6hTf3k=</wsse:Password> <wsse:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401- wss-soap-message-security-1.0# Base64Binary">iWjprJQjnqHmlh8gSyRweg==</wsse:Nonce>   <wsu:Created>2010-05-04T17:32:26.413Z</wsu:Created>   </wsse:UsernameToken> </wsse:Security>   </soap:Header>

  11. REST: Security • No formal security standards • Often use SSL - transportation only • Proprietary authentication steps • Amazon, Flickr, Google - different approaches • Session Management – cookies (Oracle WAM)

  12. FindingtheWeakLink • SSL – is the window open? • Soap’s WS-Security – partially used? • Errors – are they too helpful? • Interfaces – are they publicized? • I’m behind the firewall – everything is great! • Obfuscation is weak sauce! • Innocent data can be maliciously used

  13. TestingTools

  14. Wireshark Go Deep!

  15. Firefox Plugins 5000 and counting…

  16. SoapUI One Awesome Tool!

  17. Call To Action

  18. References • SoapUI • http://www.soapui.org/ • Wireshark • http://www.wireshark.org/ • Firefox Plugins • https://addons.mozilla.org/en-US/firefox/

More Related