wsChess – Web Services Assessment and Defense Toolkit



A set of tools written C# for the .Net platform. This is a prototype, released as beta with limited support at this point. It has the following tools:



wsPawn - Web services footprinting, discovery, search & domain footprinting tools. If you are looking for registered web services and their access points, this tool will help you in retrieving information from public UDDI.

wsKnight - Web services profiling, proxy and audit tool. This tool helps in profiling web services from its WSDL. It also allows you to invoke methods and intercept them before they go on the wire to the target, so that you can manipulate the SOAP envelope if needed. The autoaudit feature allows you to inject characters and attack strings for assessment work.


wsRook - This is a very simple technology demonstration for developers. This is a regular expression-based defense for web services input content. This is a hook in HTTP pipe using the HttpModule interface.



Whitepapers are included for better understanding for all these tools.



Note:This is a prototype release and is not tested. Please report your bugs and ideas to wschess@net-square.com. Over next few weeks these tools are going to be tested and subsequent releases will be posted on same location.




Build of wspawn(command line)can run on linux with mono




White Papers


Web ServicesAttacks and Defense

Information Gathering Methods:Footprints, Discovery & Fingerprints

Abstract : Web Services is growing at a rapid rate and bringing into focus, new security issues in the web security landscape. How do we start assessing web services deployed at any corporate location? That is the fundamental question and once again it all starts with information gathering. UDDI, WSDL and SOAP are three cornerstones of this technology and they can be powerful tools for information gathering. Universal Business Registry (UBR) can help in footprinting using UDDI. UBR and technology fingerprinting can be used to perform discovery of web services. The scope in this paper is limited to only the first phase, namely the Web Services Information Gathering Phase. The entire methodology for web services information gathering is covered in this paper. The next two phases of the Assessment methodology are enumeration and defining attack vectors, both extensive topics too. These will be taken up in later papers.



Web ServicesAttacks and Defense

Information Gathering Methods:Enumeration and Profiling

Abstract : Web services hacking begins with the Web Services Definition Language or WSDL. A WSDL file is a major source of information for an attacker. Examining a WSDL description provides critical information like methods, input and output parameters. It is important to understand the structure of a WSDL file, based on which one should be able to enumerate web services. The outcome of this process is a web services profile or matrix. The scope of this paper is restricted to understanding this process. Once this is done, attack vectors for web services can be defined. The scope of attack vectors will be covered in the next paper.



Web application defense at the gates

Leveraging IHttpModule

Abstract : Web applications are vulnerable to many attacks, mainly due to poor input validation at the source code level. Firewalls can block access to ports but once a web application goes live and TCP ports 80 and 443 are accessible, the web application can be an easy prey for attackers. HTTP traffic is legitimate traffic for web applications ; all the more reason to include application-level content- filtering over unencrypted and encrypted communication channels. Application- level content filtering is possible to some extent but may not work over HTTPS (port 443). The only way to provide a strong defense is by applying powerful content- filtering at the application- level for both TCP port 80 and TCP port 443.

The .Net framework with ASP.NET provides the IHttpModule interface access to HTTP pipes – the lowest of programming layers – before an incoming HTTP request hits the web application. This can provide defense at the gates. In this paper, we look at how one can build this sort of defense in all three aspects – coding, deployment and configuration.



Domain Footprinting for Web Applications and Web Services

Abstract : A wide array of services, from banking and finance transactions to auctions and ticket reservations, are being offered to customers online. This means that an Internet presence for companies may encompass several domains for each of the different services being offered online.

Performing web application or web services assessment with "zero" level knowledge for clients can be a daunting task for the web analyst. It is important to locate and footprint all critical domains running web applications or web services.

One of my previous papers discussed host-level footprinting to find applications pointing to specific IP addresses . This paper focuses on domain footprinting and discusses a complete approach to identify and footprint all possible domains running web applications or web services.

Web applications are crawled by all popular search engines. Domains running web applications or web services may have some links that may have been cached and archived by these search engines. This considerably simplifies our task. In this paper, we demonstrate how advanced search options offered by search engines like Google, A9, Yahoo, Alexa and others can be leveraged to obtain critical information about domains.





Please report bugs, send us feedback at wschess@net-square.com