Re: [WEB SECURITY] Scanning Web Services That Require Signed SOAP Requests

[Ory Segal <SEGALORY@xxxxxxxxxx>]

--=_related 0069AF43C22576C1_=
Content-Type: multipart/alternative; boundary="=_alternative 0069AF43C22576C1_="


--=_alternative 0069AF43C22576C1_=
Content-Type: text/plain; charset="US-ASCII"

Hi,

Rational AppScan has this integrated into the product - The GSC tool for 
web services, that comes bundled with AppScan supports all kinds of 
WS-Security standards, including certificates for signing message bodies.

-Ory
-------------------------------------------------------------
Ory Segal
Security Products Architect
AppScan Product Manager
Rational, Application Security
IBM Corporation
Tel: +972-9-962-9836
Mobile: +972-54-773-9359
e-mail: segalory@il.ibm.com 




From:
Brian Shura <bshura73@gmail.com>
To:
websecurity@webappsec.org
Date:
05-02-10 08:15 PM
Subject:
[WEB SECURITY] Scanning Web Services That Require Signed SOAP Requests



I'm planning to test a web service that requires the client to use a 
certificate to sign the message body of each SOAP request using the WS 
security standard.  Are there any scanners out there that can effectively 
scan this type of web service?  I know that many scanners support client 
SSL certificates, but this is a bit different.

Thanks,
Brian

--=_alternative 0069AF43C22576C1_=
Content-Type: text/html; charset="US-ASCII"

<font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">Rational AppScan has this integrated
into the product - The GSC tool for web services, that comes bundled with
AppScan supports all kinds of WS-Security standards, including certificates
for signing message bodies.</font>
<br>
<br><font size=2 face="sans-serif">-Ory</font>
<br><font size=1 color=#82c0ff face="Verdana"><b>-------------------------------------------------------------</b></font><font size=1 face="Verdana"><b><br>
Ory Segal<br>
Security Products Architect</b></font>
<br><font size=1 face="Verdana"><b>AppScan Product Manager</b><br>
Rational, Application Security<br>
IBM Corporation<br>
Tel: +972-9-962-9836<br>
Mobile: +972-54-773-9359<br>
e-mail: </font><a href=mailto:segalory@il.ibm.com><font size=1 color=blue face="Verdana"><u>segalory@il.ibm.com</u></font></a><font size=1 face="Verdana">
</font>
<br><img src=cid:_1_0A5C84FC0A5C81F00069AF43C22576C1>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">Brian Shura &lt;bshura73@gmail.com&gt;</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">websecurity@webappsec.org</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">05-02-10 08:15 PM</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">[WEB SECURITY] Scanning Web Services
That Require Signed SOAP Requests</font></table>
<br>
<hr noshade>
<br>
<br>
<br><font size=3>I'm planning to test a web service that requires the client
to use a certificate to sign the message body of each SOAP request using
the WS security standard.&nbsp; Are there any scanners out there that can
effectively scan this type of web service?&nbsp; I know that many scanners
support client SSL certificates, but this is a bit different.<br>
<br>
Thanks,<br>
Brian</font>
<br>
--=_alternative 0069AF43C22576C1_=--
--=_related 0069AF43C22576C1_=
Content-Type: image/gif
Content-ID: <_1_0A5C84FC0A5C81F00069AF43C22576C1>
Content-Transfer-Encoding: base64

R0lGODlhjAAdAOf/AAABAAgBAAIFAQAFCQsEAwUIBAMKDQoMCBELCQwPCw4QDQwRExITEBAVFxUW
FBMXGRYYFRcYFhsXFxkbGBkcHhsdGiEjICcoJiorKSwtKzIuLTAxLzIzMTYyMTQ2MzQ4OjY4NT05
ODc7PTo7OTk9Pzw+PD9BPkFCQERGQ0tGRUhKR01JSEhMTkpMSlBMSkpOUE1PTE9RTk1SVFFTUFBV
V1RVU1VXVFdZVlpcWVxeW1ZiY11hY2FjYFxnaGVmZGdoZmRpa2FtbmpsaW5wbQCKx2V0emh0dQCQ
xgCRyACSyXd5dgWUyyCOxgCXzG9+hACYzQCZznt9egCaz4J9fH1/fICCfxSbywCh0ACi0QCj0hqc
zYOFggCl1IqFhB2ezoWHhB+fzwim1pCKiX+OlIqMiSSkziim0I6QjSqn0S2p05KUkTGr1TOs1jWt
2JaYlTiv2p2Ylpial0Ou05qbmI6epDuy3Judmkiy15KiqJugop+hnky02U6225+kple21U+43aOl
oqGmqVG53lm411K635qqsFO74Kepply72qWqrV2826mrqF+93Z+vtqutqmG/36qvsa6wrGXC4mvB
223D3bK0sW/E36i4v6O7v7W3tLS5vLe5tnPJ47q8uXfM58G8uoXK4IHL54fM47PDyYnO5Y/O38fC
wbbGzIzR58PFwpnP4crFw47T6ZDV68fJxsnLyKPU4ZjX6KDW6dDLyczOy6LY6srP0q3W5KTa7M/R
zqXb7cXV3Kfd8NjS0dLU0bTc667g7dPY28Dd59zX1bvf6Nja1rni8M7e5drc2cjh5rvk89Dg59ze
28fj7srj6Nvg48Ln79/h3sPo8czo8+Lk4dfn7uTm49zp6uXn5Nvr8ufp5tHu+O7o59/s7dbv9Ofs
79/w9uzu69v0+evw8+7w7ebz9O3y9fDy7+T1++/09/L08Or3+PP18vH2+eL7//T38/P4+/z29fb4
9Pf59vX6/fb7/v/5+Pn7+Pr8+ff9///8+vj+//z++/n///7//P///yH+EUNyZWF0ZWQgd2l0aCBH
SU1QACH5BAEKAP8ALAAAAACMAB0AQAj+AP0JHEiwoMGDCBMqXMiwocOHEAlCmUjxyZKLF5s8ocix
YhONUJpc7EiyZEmLS5qQTBKxpcuWHZusEVjLEi9/9sIsWVPL20BVTG7582amSS1/3aCM88dqiZ95
/gyh8rfuSJh99xAluVMr3cA2UAQqUsmRpUBqJgQE6LHKn4MJAzPEYEdOQCSBzCDEEGhNgBgbFyol
wMdAhkA1Ng4kEADInzYGSgRSEbBYgAALDU1q3sy5s+eyL0OLToiktOnTqFOrXs26tWskREbLnh1z
pj8+S7AIDJUECyto0HQNWvIomz90vKzsaQVKJZ9W04CFwtJEUSxWj4xBU2Tlie9p0Fj+3bES1t/Y
jmYFBtLh4kYugYl6uJhBy1+hFAI8qAgH4wCGHcfwMIZAeOwQjD/ymPCKP+vBQAMdUJljBCA2ADEO
N0WsoMJdmXHURBsCGfJEGfb484sWPuEjj0DQHAHKQFbo4s84MtGDk0CWIBGLP/UcgYZYWgxkjkBv
WCGWKN/IsREU6V0iwAUwCEDBN+owYMALBDRwjT/hCLCIQOU8IMAHtvgTjAAICLSDACEIRIYAGojg
gQALnKMNAUMMVIIALEggADWzBSrooIQWauihiB762aKMNopeopAOVJtB1ZBF0hKw7LNNUbj4842l
jnIkFqhMtlSXABz4w4wFNUSq0KT+/nhSRzUCNcGFT5ZosY0/QAlFlFFINRGKP9UkYYlAXLDCYx0v
3jNIGv6Ag8YSAoE16qMC1cBAMf7oUcE5ORzgiz+HCECGP3VxmNde/uBwADKuWOaEP2oI4MsiAhzi
DzuMORYBBgLNIQAO/rgzwAYdUiSTQIJ4N2QoaMDjTxq68hrUUEUd1c0TwPjTyhKD2OgbVVZh5Qcs
/kCjRRPVljfWE0uWKpAeeaBDrgC0VJBALwIJYMM76eKl10AjRJDvOyaMcMCBMEQAaDr9PhaZPwJn
EvCXDJX00ZJPfAQFSh95HdJFMIstEtkThZ02SGd3rZHbMC8Rc3quHorR3Xjnrff+3nz37ffdR9Qt
+OCEF2744Yi/FOrijJdEd+KiNS55449DrriHXOiiuS61TLKZd3zcocUTkvCCCqmLAwPMGzFPVDlD
+ABSAwz+wBNMfYjDGoskxAjEh0ZWgAHG6Bb5isYTfAhDikZNBE/8E1ZE/4QWYIC0kfBWgHQtaATR
w8473bPDDk77YCNAJQIVEwG77+wj0D7tuO+POvgIBM/38u8DFTsr+rOP+A+B1R+aoIUhLe8oCPIH
PfhgDIJYoVOfAtGMBHKLI7SiIO1YwxHA4Q+v+KMcZXAZqdITrxhMZgTnyMVlopCBCthiDkIQQAyG
oA4VFEAAU3jGARrgPgQIwA3+N1uFOATQgShY4HyO8ZMAurAMEgigCiY4wBwSljbbDCQdliDgHiSh
BUWsw2K+yhhSoAANf6BiCXyQWBqmsg4mYCEfWUmCIgSxBkm0bHsUSc8PBKCEYWhiFe9gAAMA5Q8Z
qiNoqhqaPzYhgFx0QgAwOIE/QCCCdnTiFcxgxiMb8xgqBIwxxeCGABCWNQ/ZZoC2eQMWpuGPZvxh
V73CGLCSspSmPCUqbCyZswRho1roxh/WMs8ICRKPT6hAABNQH1wEIhe62EVo7PIHBoLwARRE4wD4
+oI/HgmCXEQjapARiA8EMAdqMIMa2qBiSGzTMCwMiRNpWJEiLCGxWKKDE0/+0NgTlDWONuyoHVpQ
VlWucg8/lCJafBgWMF2GhT1cYUnpwc8s/LGFAJhiMpDwRyMEAAd0PdMfyJCAB+jhvj5YJhXwYAFl
3AeDnfkDDwLog2PC6Q9HCCAK/thFftQJM0EIAgvQS8MffpcGUqBCEG3gwxtUQghWtMIKVxDEH2C2
BqOyIg3dEeoePsKHP6ChCYJwqhZ8CgYoEEIQWriCJx7qOoJoQwgg0MNAwjEEEMyhfv6YxxmiMRBn
zGEO3KrHJU4hkGzkIRkCsQcmOPAFeIxCDfMQLCEFcgYPREEdDpmcZh31OstFZLOg/UxnPfuQWJj2
tKhNrWpXy9rWuva1sbgFIGlDExAAOw==
--=_related 0069AF43C22576C1_=--