AnsweredAssumed Answered

Scanning a SOAP webservice for vulnerabilities

Question asked by Steve P on May 12, 2020
Latest reply on May 13, 2020 by Sheela Sarva

I tried running a Qualys web application scan on below WSDL

http://www.myorg.com/services/Handling?WSDL

and received the error message

 


"Failed to parse the WSDL due to following error in the WSDL.
Schema Parser Exception : Error while parsing imported namespace http://xmlns.oracle.com/ouaf Fatal Error in SchemaParser"

 

I am not posting my actual company URL for privacy and security reasons in a public forum but using myorg.com


I know http://xmlns.oracle.com/ouaf  goes to an Error page in Oracle but this WSDL was auto-generated by Oracle weblogic for services it provides out of the box. Oracle SOA(Service-Oriented Architecture) composite is an assembly of services, service components, and references designed and deployed together in a single application and it generated this WSDL. We did not build this WSDL so cannot change this WSDL.

 


1. Has anyone faced such errors with Oracle SOA generated WSDL with a Qualys scan and if yes, how can this be addressed?

 


2. Is there a way to tell Qualys web app scanner to ignore the imported namespace error and continue scanning?

 


3. I see docs for Qualys scanning REST API but is there anything for doing a vulnerability scan for SOAP APIs?

 


4. Any other suggestions for finding vulnerabilities in SOAP API using Qualys would be helpful. We are using Business Process Execution Language for Web Services

Outcomes