Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Dynamic Web Services Assessment using HP WebInspect

samareshm ‎06-19-2012 03:56 PM - edited ‎09-29-2015 09:58 AM

Dynamic Web Services Assessment using HP WebInspect


“There is no greater agony than bearing an untold story inside you.” - Maya Angelou.

Over the last couple of releases, HP WebInspect has added stellar support for Web Services assessments. However, my interactions with various users have made me feel that we still have a story about our Web Services capabilities that hasn’t fully been told yet.  HP WebInspect 9.2 packs some powerful new features that can assist in very effective Web Services assessments. A totally reworked Web Service Test Designer can be a great asset when unit testing SOAP based Web Services.

Here is a summary of the broad new capabilities:


1)      Full-fledged assessment: Smart detection engines are now capable of detecting vulnerabilities such as blind SQL Injection, local file inclusion, and buffer overflows.

2)      Support for WCF:  Some basic templates to configure popular WCF options such as Custom, Federation and WSHttpBinding are included by default (ref: figure 1). Advanced configuration will allow non-text encodings such as MTOM and Binary.



                                                                                 Figure 1


3)       Handling message security:  A large variety of SOAP based assessments can now be supported   using WS-Security and WS_Addressing. A comprehensive setup screen can handle X 509, Kerberos and XAML tokens.

4)      RPC support: Users now can work with SOAP services with RPC encoding. The manual editor can be used to import payload data.


5)      Detecting Web services while scanning regular sites: WebInspect can detect web requests that resemble SOAP message structures. It then adds them in the Recommendations as shown below. Users can obtain the needed Web Services design to initiate a Web Services scan. 



Figure 2

In future posts I will suggest some good practices on Web Services scan workflow. Please add comments to this post to let us know what features interest you most.

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all