Qualys WAS supports basic security testing of SOAP based web services that have a Web Service Description Language (WSDL) file within the scope of the scan. If WAS identifies a WSDL file that describes web services that are within the scope of the scan, WAS will attempt to perform XSS and SQL injection testing of the web services. WAS uses the WSDL file to identify the web service methods and parameters supported, and it does not test any web service if a WSDL file is not found in the scope of the scan.
Here are some tips and best practices:
- How can I tell if WAS finds the WSDL file during the scan? You’ll see the following QID detection even if we don't identify any vulnerabilities: 150087 - Web Service Found
- What if WAS doesn’t automatically find the WSDL file? We recommend you use a whitelist to make sure it is picked up by the scan, or add the WSDL path to the explicit URLs to crawl section of the configuration.
- Tell me about web services tests. These tests are conducted on a best attempt basis as many web services may not respond to requests from an automated scanner that is not providing expected data. Automated security testing provides “fuzzing” input and is not capable of knowing specific data requirements.
- Be sure to consider results from web services scanning based on the context of the web service. For example, WAS will report on XSS assuming any content returned from a web service will be consumed at some point by a browser, when in some situations this may not be the case (example: Mobile App).
- Overall WAS web service testing should be used in conjunction with other assessment methods to obtain a high level of security assurance for SOAP based web services. Qualys is currently evaluating support for REST based web services for the near future.
Please contact your TAM if you require support for REST based web services.