Round-up: SOAP inspection / tampering tools?

["Sebastien Deleersnyder" <sdl () ascure com>]

Hi,

Please find the compilation of tools I received for this question below.
Thanks for your responses.
Sebastien

One interesting remark on "even less secure" development/deployment of
Web Services 
> An interesting note too, the SOAP apps I've audited tend to come out
with even more (and more serious) issues than web 
> apps.  I haven't done a ton of SOAP audits by any means, but I'm
getting the general impression that security awareness 
> on that side is even lower than on the web side.   Has anyone else been
seeing that ?

An explanation for this can be that due to the more complex security
models of J2EE and .NET a lot of the increased security 'out-of-the-box'
is lost by developer/operations ignorance and lack of knowledge.


List:
WebScarab is one such intercept tool that you could use:
(http://www.owasp.org/software/webscarab.html)
Alternatively this link lists various web proxies with their
differences. http://dawes.za.net/rogan/exodus/comparison.php
Also see
http://www.professionalsecuritytesters.org/modules.php?name=News&new_top
ic=16, an index of WebProxies
XMLSPY is a commercial product available at
http://www.xmlspy.com/features_soap.html
There is a SOAP add-on version of ethereal created by Westbridge that is
free. I have used it several times successfully to monitor, and conduct
assessments - The link is
http://www.westbridgetech.com/soapmonitordownload.html
Vordel SOAPbox A FREE Web Services security test tool:
http://www.vordel.com/soapbox/index.html
other links/tools:
http://www.spidynamics.com/products/security/toolkit/
SPI Dynamics (http://www.spidynamics.com) has a couple of commercial
tools that allow both automated, and manual assessment of SOAP
Applications. 
SOAP Editor (Part of the SPI Toolkit)
"SPI Dynamics' SOAP Editor is used to generate Simple Object Access
Protocol (SOAP) requests automatically, and to manually edit SOAP
requests and responses."
http://www.spidynamics.com/products/Comp_Audit/toolkit/soap.html
SPI Proxy (Part of the SPI Toolkit)
"SPI Dynamics' SPI Proxy is a stand-alone, self-contained proxy server
that you can configure and run on your desktop. "
http://www.spidynamics.com/products/Comp_Audit/toolkit/proxy.html
Webinspect
"Enterprises with Web services implementations can automatically assess
a Web service by discovering all XML input parameters and performing
parameter manipulation on each XML field looking for vulnerabilities
within the service itself."
http://www.spidynamics.com/products/QA/WI/index.html
article
http://archives.neohapsis.com/archives/sf/pentest/2003-11/0073.html

Sanctum:
http://www.sanctuminc.com/solutions/appscanaud/features/index.html

none soap specific per se but great at acting as a man in the middle for
altering/inspection:
Achilles at http://achilles.mavensecurity.com/
burp proxy at http://www.portswigger.net/proxy/help.html
for a bit more indepth but open source - spike proxy
http://www.immunitysec.com/resources-freesoftware.shtml
oops.. forgot fiddler in that list as well
http://www.bayden.com/fiddler/ 


Sebastien Deleersnyder wrote:

> Hi,
>  
> Are there any open-source / commercial tools available for inspection 
> / modification of SOAP traffic to perform audits on its security?
> I am thinking of a local proxy-like program through which SOAP traffic

> is channeled by e.g. modifying localhost : redirect traffic destined 
> for target.com to 127.0.0.1 The tool would allow for changing the SOAP

> content both in the request/reply.
> I imagine that this only makes sense if the SOAP goes over HTTP, HTTPS

> protects against sniffing.