[Owasp-codereview] Web Services - UDDI/ SOAP

Joshua Perrymon josh at packetfocus.com
Thu Jul 31 05:42:51 EDT 2008

Not sure if this is the best list to ask.. but here goes.


I'm researching web services heavily in part to a current white box app
assessment and code review.   During the "blackbox"  assessment I identified
that injecting a ' in the application form fields caused a server error
"Unclosed quotation mark before the character string '' order by Date DESC'.


So this tell be there is a definite injection potential. After digging into
the error message I found that this was a SOAP exception. So if I got this
SOAP error, then the app uses XPATH / XQUERY to retrieve the database data
and format it using XML?  From the error, that looks like an SQL statement
to me, but the error points to SOAP so I'm just a little confused.


During a webscarab crawl I identified an encoded string in the app that I
have determined to be a UDDI. (It follows the exact length and layout of
valid UDDI's I looked at).


The problem I'm having is that I'm not finding public WSDL files to give
more insight on the services. If that is fact a UDDI for the application, is
it possible to connect to it and enumerate WSDL information?  I downloaded
soapUI 2.0.2 and my goal is to attempt to create SOAP messages calling the
services directly.


Should I use webscarab along with WSmap to help identify the WSDL file? The
site is protected behind a authentication scheme so I'd need to configure
the appropriate session and cookie values for the spider to work correctly.


Any ideas/ input / next steps??






Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

 <mailto:Josh at packetfocus.com> Josh at packetfocus.com



 <http://www.packetfocus.com/> www.packetfocus.com


President Alabama OWASP Chapter  <http://www.owasp.org/> www.owasp.org

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20080731/34a0a08e/attachment.html 

More information about the Owasp-codereview mailing list