Web Services Attacks
Enumeration & Profiling
<Service> - Webservice name
<Operation> - Web Method
<Element> - Data Types
<Endpoint> - Webservice address
Parameter Tampering
Meta characters injection
", ', &, %, $
Data Type Mismatch
Values belonging to different data types
Values belonging to arrays or structures
Large Buffer
High Character Length
Abnormal Values
Highest Value
Lowest Value
Away from the boundary
XML Poisoning
OS Commands
Junk Data
"value" ! ls -r
SOAP Message Tampering
Bruteforcing using *
Bruteforcing using username/password files
Parameter Guessing
HTTP Method Tampering
Convert GET to POST
Convert POST to GET
SQL Injectiong
', ", -, *, (
1' or 1=1
Directory Traversal
Fault code message contains directory/file information
../../../../autoexec.bat