Chapter 6. Assessing Web Services

This chapter focuses on the technical execution of web service assessment. These services are commonly accessible in corporate environments and over the Internet, and they require a high level of security assurance due to their public nature. In this chapter I discuss the techniques and tools used to fully test HTTP and HTTPS services, along with their enabled components, subsystems, and any custom-written code that may be present.

Network Security Assessment

Chapter 1. Network Security Assessment

Chapter 2. The Tools Required

Chapter 3. Internet Host and Network Enumeration

Chapter 4. IP Network Scanning

Chapter 5. Assessing Remote Information Services

Chapter 6. Assessing Web Services

6.1 Web Services

6.2 Identifying the Web Service

6.3 Identifying Subsystems and Components

6.4 Investigating Web Service Vulnerabilities

6.5 Accessing Poorly Protected Information

6.6 Assessing CGI Scripts and Custom ASP Pages

6.7 Web Services Countermeasures

Chapter 7. Assessing Remote Maintenance Services

Chapter 8. Assessing FTP and Database Services

Chapter 9. Assessing Windows Networking Services

Chapter 10. Assessing Email Services

Chapter 11. Assessing IP VPN Services

Chapter 12. Assessing Unix RPC Services

Chapter 13. Application-Level Risks

Chapter 14. Example Assessment Methodology

Appendix A. TCP, UDP Ports, and ICMP Message Types

Appendix B. Sources of Vulnerability Information