[OWASP-TESTING] Web services - DV Auth or Auth DV???

Eoin Keary eoinkeary at hotmail.com
Tue May 24 09:53:23 EDT 2005

Just I'd throw this out so see opinion:

A webservice:
Uses HTTPS. The Payload (SOAP) is in the HTTP Header.
The password and UserId are also in the HTTP header as header parameters.
(We can see the obvious issues here already?!#!?)

The service needs a requester to be authenticated.
So sneding SOAP request (Over HTTPS) to this service gives us "Access 
Denied" as I put in an incorrect password...ok so far
Sending a modified request which the XML schema does not like (malformed 
request for example) gives us a Data validation error....So DV is done 
before authentication.

Which should come first in the case of webservices...?
DV or Auth.
If DV is first we may be able to do a DoS by sending 1000's of requests, 
each one needing to be DV'ed. (Webservices are prone to DOS attacks).
By doing Auth first, we need to DV the userId and password, Authenticate and 
then continue with the DV, which is complex....

Anyone have any ideas which should be first, the "chicken or the egg"?
I have my own opinions but what do you good people think?

Don't know what Meegos are? Click to find out. http://meegos.msn.ie

More information about the Owasp-testing mailing list