-
Notifications
You must be signed in to change notification settings - Fork 104
Scope
Both static and dynamic tests against the security vulnerabilities are performed by WSSAT. The vulnerabilities which will be analysed in the scope of this project are:
1. STATIC TESTING (ANALYSIS)
WSSAT performs static analysis on both web service WSDL and XSD documents. WSSAT checks the following vulnerabilities by static analysis:
• Weak XML Schema: Unbounded Occurrences
• Weak XML Schema: Undefined Namespace
• Weak WS-SecurityPolicy: Insecure Transport
• Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
• Weak WS-SecurityPolicy: Tokens Not Protected
2. DYNAMIC TESTING
WSSAT checks the following vulnerabilities by dynamic tests:
• Insecure Communication - SSL Not Used
• Unauthenticated Service Method
• Error Based SQL Injection
• Cross Site Scripting
• XML Bomb
• External Entity Attack - XXE
• XPATH Injection
• HTTP OPTIONS Method
• Cross Site Tracing (XST)
• Missing X-XSS-Protection Header
• Verbose SOAP Fault Message
• Could not establish trust relationship for the SSL/TLS secure channel
3. INFORMATION LEAKAGE
• Server or technology information disclosure
WSSAT provides a dynamic environment to add, update or delete vulnerabilities by just editing its vulnerabilities XML files (under the XML directory).
- Home
- Installation
- Usage
- Default Parameter Values
- Scope
- Donation
-
Testing Activities
- XML Bombs
- External Entity Attacks
- Insecure Communication
- Insufficient Authentication Test
- Cross Site Scripting
- SQL Injection
- XPATH Injection
- Verbose SOAP Fault Message
- Weak WS-SecurityPolicy: Insecure Transport
- Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
- Weak WS-SecurityPolicy: Tokens Not Protected
- Weak XML Schema: Undefined Namespace
- Weak XML Schema: Unbounded Occurrences