SUPPORT

Contact Support

OPEN A TICKET

Scanning SOAP API Web Services

Netsparker identifies vulnerabilities and security issues automatically in a SOAP web service.

Simple Object Access Protocol (SOAP) is an XML-based protocol for accessing web services over HTTP. This protocol lets different web services communicate with each other or talk to client applications that invoke them.

SOAP's messaging protocol consists of three parts:

  • an envelope that defines the message structure and how to process it
  • a set of encoding rules for expressing instances of application-defined data types
  • a convention for representing procedure calls and responses

As these web services perform their functions in the background, their security is often overlooked. They can, however, prove a fruitful attacking ground for cybercriminals. Netsparker can identify the definition files and send attack payloads to identify vulnerabilities in your web application.

Netsparker supports the following web service standards:

This topic explains how to scan your web application to identify SOAP-related vulnerabilities.

Scanning a SOAP API web service for vulnerabilities

The WSDL files do not necessarily need to be served on the target server for Netsparker to be able to scan a web service. If you have disabled WSDL generation on your production servers because of security concerns, you can import the WSDL file to Netsparker before starting the scan. Netsparker will parse the imported WSDL document and add the necessary SOAP requests to the scanner.

There are three ways to scan a SOAP API Web Services.

  • Importing the WSDL schema from the file to Netsparker
  • Importing the WSDL schema from the URL to Netsparker
  • Automating the discovery of SOAP APIs during crawling
  • The From File option lets you import your document to Netsparker. This requires you to import the file over and over again whenever you update your web service.
  • The From URL option lets you provide a link for the definition file, so you do not need to import it again to Netsparker whenever you update your web service. For further information, see Importing links and API definitions.

Importing the WSDL schema from the file to Netsparker

How to import WSDL Schema from the file in Netsparker Enterprise
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings section, select Links/API Definitions.
  4. From the From File section, select Web Service Definition Language (WSDL).

  1. From the opened window, select the schema file. Then, select Open.
  2. Once the scanner imports all the schema you can see them in the list of Imported Links as seen in the screenshot.
  3. Select Launch to start the scan.
How to import WSDL Schema from the file in Netsparker Standard
  1. Open Netsparker Standard.
  2. From the ribbon, select New.
  3. From the Start a New Website or Web Service Scan dialog, select Links/API Definitions, then double-click Web Service Definition Language.

  1. From the Import Links window, select the schema file. Then, select Open.
  2. Once the scanner imports all the schema you can see them in the list of Imported Links as seen in the screenshot.
  3. Select Start Scan.

Importing the WSDL schema from the URL to Netsparker

How to import WSDL Schema from the URL in Netsparker Enterprise
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings section, select Links/API Definitions.
  4. From the From URL section, select Web Service Definition Language.

  1. From the Add an URL dialog, enter the URL.
  2. Select OK to import the definition file from the URL to Netsparker.
  3. Select Launch to start the scan.
How to import GraphQL Schema from the URL in Netsparker Standard
  1. Open Netsparker Standard.
  2. From the ribbon, select New.
  3. From the Start a New Website or Web Service Scan dialog, select Links/API Definitions, thendouble-click Web Service Definition Language.

  1. On the Web Service Definition Language (WSDL) dialog, enter an URL.

  1. Select OK to import the definition file from the URL to Netsparker.
  2. Select Start Scan.

Automating the discovery of SOAP APIs during crawling

Netsparker automatically imports, crawls, and scans a SOAP API web service if the scanner identifies the web service during a scan. Once the scanner identifies the definition file, it starts sending attack payloads to detect vulnerabilities.

When the scanner identifies a SOAP API web service during a crawl it will also report it in the Knowledge Base node. This is what the SOAP APIs node looks like in the Knowledge Base section of the Technical Report in Netsparker Enterprise.

This is what SOAP APIs look like in the Scan Summary Dashboard in Netsparker Standard.

Netsparker

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo