SOAP

SOAP data is usually sent using XML, so all test cases in the XML category apply here. Because the data is often sent over the network, the network request/response cases also apply. Here are some SOAP-specific cases. Refer to Chapters 4 and 11.

Sample Test Cases

Test Case

Description

 <unluckyNumbers   xmlns:xs="http://www.w3.org/2001/XMLSchema"   xmlns:enc="http://www.w3.org/2001/12/soap- encoding"   enc:arrayType="xs:int[500000]" >   <number>4</number>      <number>42</number> </unluckyNumbers> 

SOAP array DoS. Some servers allocate memory to prepare for the array following the array size specification, thus allowing for a potential DoS where the attacker specifies a large size that results in the server consuming large amounts of memory.

Verify DTDs aren t used in SOAP 1.1 message

DTDs can be used to build strings dynamically on the victim s machine and consumer large amounts of memory. The SOAP 1.1 specification states that a SOAP message must not contain a DTD.

http://server/test.asmx/method- name ?param1=val1&param2=val2

SOAP CSRF attack using GET.

 <FORM   name="myForm"   action=     "http://server/test.asmx/method-name"   method="POST" > <INPUT   type="hidden"   name="param1"   value="val1"> <INPUT   type="hidden"   name="param2"   value="val2"> <INPUT type="submit"> </FORM> 

SOAP CSRF attack using POST.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net