Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Dynamic Web Services Assessment using HP WebInspect

samareshm ‎06-19-2012 03:56 PM - edited ‎09-29-2015 09:58 AM

Dynamic Web Services Assessment using HP WebInspect


“There is no greater agony than bearing an untold story inside you.” - Maya Angelou.

Over the last couple of releases, HP WebInspect has added stellar support for Web Services assessments. However, my interactions with various users have made me feel that we still have a story about our Web Services capabilities that hasn’t fully been told yet.  HP WebInspect 9.2 packs some powerful new features that can assist in very effective Web Services assessments. A totally reworked Web Service Test Designer can be a great asset when unit testing SOAP based Web Services.

Here is a summary of the broad new capabilities:


1)      Full-fledged assessment: Smart detection engines are now capable of detecting vulnerabilities such as blind SQL Injection, local file inclusion, and buffer overflows.

2)      Support for WCF:  Some basic templates to configure popular WCF options such as Custom, Federation and WSHttpBinding are included by default (ref: figure 1). Advanced configuration will allow non-text encodings such as MTOM and Binary.



                                                                                 Figure 1


3)       Handling message security:  A large variety of SOAP based assessments can now be supported   using WS-Security and WS_Addressing. A comprehensive setup screen can handle X 509, Kerberos and XAML tokens.

4)      RPC support: Users now can work with SOAP services with RPC encoding. The manual editor can be used to import payload data.


5)      Detecting Web services while scanning regular sites: WebInspect can detect web requests that resemble SOAP message structures. It then adds them in the Recommendations as shown below. Users can obtain the needed Web Services design to initiate a Web Services scan. 



Figure 2

In future posts I will suggest some good practices on Web Services scan workflow. Please add comments to this post to let us know what features interest you most.

0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all