Scanning SOAP API Web Services
Invicti identifies vulnerabilities and security issues automatically in a SOAP web service.
Simple Object Access Protocol (SOAP) is an XML-based protocol for accessing web services over HTTP. This protocol lets different web services communicate with each other or talk to client applications that invoke them.
SOAP’s messaging protocol consists of three parts:
- an envelope that defines the message structure and how to process it
- a set of encoding rules for expressing instances of application-defined data types
- a convention for representing procedure calls and responses
As these web services perform their functions in the background, their security is often overlooked. They can, however, prove a fruitful attacking ground for cybercriminals. Invicti can identify the definition files and send attack payloads to identify vulnerabilities in your web application.
Invicti supports the following web service standards:
This topic explains how to scan your web application to identify SOAP-related vulnerabilities.
Scanning a SOAP API web service for vulnerabilities
The WSDL files do not necessarily need to be served on the target server for Invicti to be able to scan a web service. If you have disabled WSDL generation on your production servers because of security concerns, you can import the WSDL file to Invicti before starting the scan. Invicti will parse the imported WSDL document and add the necessary SOAP requests to the scanner.
There are three ways to scan a SOAP API Web Services.
- Importing the WSDL schema from the file to Invicti
- Importing the WSDL schema from the URL to Invicti
- Automating the discovery of SOAP APIs during crawling
- The From File option lets you import your document to Invicti. This requires you to import the file over and over again whenever you update your web service.
- The From URL option lets you provide a link for the definition file, so you do not need to import it again to Invicti whenever you update your web service. For further information, see Importing links and API definitions.
Importing the WSDL schema from the file to Invicti
How to import WSDL Schema from the file in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, select Scans > New Scan.
- From the Scan Settings section, select Links/API Definitions.
- From the From File section, select Web Service Definition Language (WSDL).
- From the opened window, select the schema file. Then, select Open.
- Once the scanner imports all the schema you can see them in the list of Imported Links as seen in the screenshot.
- Select Launch to start the scan.
How to import WSDL Schema from the file in Invicti Standard
- Open Invicti Standard.
- From the ribbon, select New.
- From the Start a New Website or Web Service Scan dialog, select Links/API Definitions, then double-click Web Service Definition Language.
- From the Import Links window, select the schema file. Then, select Open.
- Once the scanner imports all the schema you can see them in the list of Imported Links as seen in the screenshot.
- Select Start Scan.
Importing the WSDL schema from the URL to Invicti
How to import WSDL Schema from the URL in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, select Scans > New Scan.
- From the Scan Settings section, select Links/API Definitions.
- From the From URL section, select Web Service Definition Language.
- From the Add an URL dialog, enter the URL.
- Select OK to import the definition file from the URL to Invicti.
- Select Launch to start the scan.
How to import GraphQL Schema from the URL in Invicti Standard
- Open Invicti Standard.
- From the ribbon, select New.
- From the Start a New Website or Web Service Scan dialog, select Links/API Definitions, thendouble-click Web Service Definition Language.
- On the Web Service Definition Language (WSDL) dialog, enter an URL.
- Select OK to import the definition file from the URL to Invicti.
- Select Start Scan.
Automating the discovery of SOAP APIs during crawling
Invicti automatically imports, crawls, and scans a SOAP API web service if the scanner identifies the web service during a scan. Once the scanner identifies the definition file, it starts sending attack payloads to detect vulnerabilities.
When the scanner identifies a SOAP API web service during a crawl it will also report it in the Knowledge Base node. This is what the SOAP APIs node looks like in the Knowledge Base section of the Technical Report in Invicti Enterprise.
This is what SOAP APIs look like in the Scan Summary Dashboard in Invicti Standard.