Archived PushToTest site

Web Security Test Solutions with TestMaker and soapUI

9 Top Web Service Security Attacks

Web Service security testing requires a thorough and orchestrated approach to mitigate business risk effectively. Web Services using SOAP or REST interfaces are vulnerable to many types of attacks:
  1. Boundary Scans exploit bad handling of values that are outside of defined ranges
  2. Cross Site Scripting enables functional changes in services and bypasses access controls
  3. Parameter Fuzzy Values use unexpected values in service calls to access restricted functions
  4. Malformed XML exploits bad handling of invalid XML in your service
  5. Malicious Attachments exploit bad handling of attached files
  6. SQL Injection exploits bad database integration coding
  7. XML Bomb exploits bad handling of malicious XML requests
  8. XPath Injection exploits bad XML processing inside your target service
  9. Invalid Types tests handling of invalid input data
Each of these attacks can happen from multiple networks, data centers, and geographic regions. And, each attack can happen at any point in time. Continuous Web Service security testing is mandatory to reduce business risk. Read the soapUI tutorial to learn how.

PushToTest TestMaker with soapUI Pro provides a continuous end-to-end Web Service security testing platform for your SOAP and REST based services.
Deploying security tests to multiple locations
TestMaker integrates with Continuous Integration environments like Hudson, Jenkins, and Bamboo. These CI tools schedule security test operation to coincide with new software releases and timed schedules. TestMaker deploys the soapUI tests to one or more TestNodes operating around your network and the globe. They pummel the service under test with cross-site scripting attacks, malicious attachments, XPath injection attacks and all the rest.

soapUI Pro provides automatic generation of security suites. White-box testers write security tests and TestMaker deploys the tests to be data-driven and grid and cloud deployed.

Running security tests in parallel with stress and performance testing uncovers cases that neither stress testing nor security testing would reveal on their own. This frees the testers to think about what constitutes a failure and a mitigation.

Running a soapUI security test in a TestMaker Production Monitor enables continuous security testing. TestMaker logs the results to a historic results repository for on-going compliance with Service Level Agreements (SLA) and Security Agreements.

Click to read the soapUI tutorial



-Frank