Penetration Test Tool for XML-based Web Services
Christian Mainka, Vladislav Mladenov, Juraj Somorovsky, Jörg Schwenk
International Symposium on Engineering Secure Software and Systems 2013
Abstract
XML is a platform-independent data format applied in a vast number of applications. Starting with configuration files, up to office docu- ments, web applications and web services, this technology adopted nu- merous – mostly complex – extension specifications. As a consequence, a completely new attack scenario has raised by abusing weaknesses of XML-specific features. In the world of web applications, the security evaluation can be assured by the use of different penetration test tools. Nevertheless, compared to prominent attacks such as SQL-Injection or Cross-site scripting (XSS), there is currently no penetration test tool that is capable of analyzing the security of XML interfaces. In this paper we motivate for develop- ment of such a tool and describe the basic principles behind the first automated penetration test tool for XML-based web services named WS-Attacker.
[PDF]