Web services testing
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Web Services Testing PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

Web Services Testing. David Ward. Something To Consider. Eight to Eighty. Information and Communications Systems Department (ICS) Over 5 years. Agenda. Web Services. Headless web application Programmatic interface (WSDL/WADL) HTTP transport XML/JSON data format

Download Presentation

Web Services Testing

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Web services testing

Web Services Testing

David Ward


Something to consider

Something To Consider

Eight to Eighty

Information and Communications Systems Department (ICS)

Over 5 years


Agenda

Agenda


Web services

WebServices

  • Headless web application

  • Programmatic interface (WSDL/WADL)

  • HTTP transport

  • XML/JSON data format

  • Common types SOAP / REST


Testing services

TestingServices

  • Services are a contract - API(s)

  • Test the contract (WSDL / WADL)

  • Is the contract consistent?

  • If the contract changes, its a new version


Qa engineer profile

QAEngineer Profile

  • Programming background

  • Strong personality – developer’s advocate

  • Background developing / testing API(s)

  • Security background

  • Influencer


Security privacy

Security / Privacy

  • Mark Zuckerberg(FacebookCEO) - 2010

    The age of privacy is over / user information

    should default to public

  • Eric Schmidt(Google CEO) - 2009

    search engines including Google do retain

    information for some time…


Additional attack vector

Additional Attack Vector


Security standards

SecurityStandards


Soap ws security

SOAP: WS-Security

<soap:Header>

<wsse:Securitysoap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<wsse:UsernameTokenwsu:Id="UsernameToken-33" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<wsse:Username>missionary_test_client</wsse:Username>

<wsse:Password

Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile1.0# PasswordDigest">Q1QSzWSl8JY5AfQykkIoO6hTf3k=</wsse:Password>

<wsse:NonceEncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0# Base64Binary">iWjprJQjnqHmlh8gSyRweg==</wsse:Nonce>

  <wsu:Created>2010-05-04T17:32:26.413Z</wsu:Created>

  </wsse:UsernameToken>

</wsse:Security>

  </soap:Header>


Rest security

REST: Security

  • No formal security standards

  • Often use SSL - transportation only

  • Proprietary authentication steps

    • Amazon, Flickr, Google - different approaches

  • Session Management – cookies (Oracle WAM)


Finding the weak link

FindingtheWeakLink

  • SSL – is the window open?

  • Soap’s WS-Security – partially used?

  • Errors – are they too helpful?

  • Interfaces – are they publicized?

  • I’m behind the firewall – everything is great!

  • Obfuscation is weak sauce!

  • Innocent data can be maliciously used


Testing tools

TestingTools


Wireshark

Wireshark

Go Deep!


Firefox p lugins

Firefox Plugins

5000 and counting…


Soapui

SoapUI

One Awesome Tool!


Call to action

Call To Action


References

References

  • SoapUI

    • http://www.soapui.org/

  • Wireshark

    • http://www.wireshark.org/

  • Firefox Plugins

    • https://addons.mozilla.org/en-US/firefox/


  • Login