I have to test a application which has REST & SOAP interfaces only over https
is WAS scan the way to go or there are specific tools/procedures that need to be used
any info in this area will be helpfull
I would like to know that the SOAP message is scannable on WAS.
If our WAS scan identifies a WSDL file we will do SOAP fuzzing for items like SQL injection. We need the WSDL file to understand the location and parameters accepted by the SOAP WS. We do not support REST yet, but our WAS engine team will be reviewing how to support REST based services in Q1/Q2.
QIDs that will be returned if we identify any web services vulnerabilities are:
150090 - Reflected Cross-Site Scripting (XSS) Vulnerabilities in Web Service Call
150092 - Browser-Specific Cross-Site Scripting (XSS) in Web Service Call
150093 - SQL Injection in Web Service call
If we find the WSDL file during the scan you will also see the following QID even if we don't identify any vulnerabilities:
150087 - Web Service Found
Is there any possibility to add the WSDL file manually for web services scan? In order to the scanner can do SOAP fuzzing?
You can use a whitelist to make sure it is picked up during a scan if it is published. Currently we don't have a way to allow you to upload a WSDL for services - can you let us know if your issue is that it is published and our crawl doesn't find it (such that whitelisting would help) or if you don't want to publish it but want to upload it for a security scan.
Thank you for the quick replay. Our customer does not want to publish the WSDL file to any accessible web server. There are any chance in the future to the WAS developers make a WSDL file upload feature for scanning web services?
We will add this feature request to our roadmap. Prioritization of new features for WAS are made based upon how many of our customers request such functionality, so this may be some time in coming.
I'd like to know the roadmap status about uploading a WSDL file to Qualys WAS scanner.
I do need this feature as it's the only way to get it (behaviour of commrcial product).
Adding the WSDL path into the explicit URLs to crawl is still the best method. As stated you should see QID "150087 - Web Service Found" after the scan.
If you are not getting this or proper coverage/results, I would suggest opening a support case so we can properly investigate what is happening on your particular scan.
I do already know that Frank ; what about the capability of the tool to upload a WSDL file?
No, I am sorry, not yet. The way I described above is still the best way to proceed with WAS. We hope to add new functionality and capabilities this coming year.
OK thank you. Please let the community known when some news will be available.
Will do Olivier. Also, feel free to contact your TAM at any time for updates.
I've just launched a WAS scan on a WS.
I've put the WSDL URL address in the web app. target definition.
In the scan log results I've got:
WS enumeration: 9 vulnsigs tests, completed 20 requests, 0 seconds.
Completed 20 requests of 54 estimated requests (37.037%). All tests completed
But not found the item "150087 - Web Service Found"
Do am I doing well?
I will let Will respond also, but based on your reply, I would ask that you try to use a whitelist to make sure it is picked up by the scan.
Frank had a good suggestion - perhaps whitelist the filename for the WSDL file, and use the containing directory as the target (vs the file itself).
If that doesn't work I think we'll need a support case with the details to have engineering take a look at the issue.
Yes because if I put the WSDL URL in the white list, no link any more are found. And no WS item found.
Tried to put the base path as main target, then WSDL URL in explicit URL., nothing in white and black lists.
Not seen: item "150087 - Web Service Found"
Sounds like we have some kind of condition that is causing a problem - going to need a support case with the scan report and information you have provided. Scan engine team will need to investigate.
I've sent yesterday some content to the support email so that this case can be more investigated. Thanks.
Was any progress made on this item? We have developers doing web-services development and I can't find a way to prove that the SOAP fuzzing is actually happening.
I have added the WSDL as an "Explicit URL to crawl" and it does get picked up, plus I see the QID 150087 in the scan report. But it doesn't seem like all the methods are being exercised or perhaps even discovered from the WSDL.
Retrieving data ...