Penetration Test Tool for XML-based Web Services

Christian Mainka, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk

International Symposium on Engineering Secure Software and Systems 2013


XML is a platform-independent data format applied in a vast number of applications. Starting with configuration files, up to office docu- ments, web applications and web services, this technology adopted nu- merous – mostly complex – extension specifications. As a consequence, a completely new attack scenario has raised by abusing weaknesses of XML-specific features. In the world of web applications, the security evaluation can be assured by the use of different penetration test tools. Nevertheless, compared to prominent attacks such as SQL-Injection or Cross-site scripting (XSS), there is currently no penetration test tool that is capable of analyzing the security of XML interfaces. In this paper we motivate for develop- ment of such a tool and describe the basic principles behind the first automated penetration test tool for XML-based web services named WS-Attacker.


Tags: Pentest, Signature Wrapping, Single Sign-On, XML-Security