What are web services?

  • Web service is application logic.
  • Web service is way of establishing communication between two applications or two software’s.
  • Web services are platform independent.
  • HTTP and XML is the basis for Web services.

Consider below example,
Here Sample.com is Business application and sample1.com is Bank application, hence sample.com needs the SERVICES from bank, so it is using the services provided by sample1.com. This is how communication is established between two applications. Therefore these SERVICES are WEB SERVICES.

Web Services Specifications

  • XML (Extensible Markup Language is used to tag data)
  • SOAP (Simple Object Access Protocol is used to transfer the data)
  • WSDL(Web Service Definition Languageis used for describing the services available)
  • UDDI (Universal Description, Discovery and Integration is used for listing what services are available)

How to hack web services?

Before hacking it, we will see whatis the problem of web service?
The problem is disclosure of WSDL file,Which discloses all the operations of that applications, we can see all the services running on that application, we can see address of web services.
In Below scenario, I am specifying as “?WSDL” in the URL of web Services Page Of Web goat Application.

WSDL file is also showing different Operations(services) like

  • getLastName
  • getCreditCard (shown in next screen shoot)
  • getLoginCount

After getting the different Operations, we will see how to tamper the Request.
Step1: Select Account Number as 101, and select FirstName, Click on Submit.

Step2: Here we got FirstName.

Step3: When you press the submit, Tamper Request using “TAMPERDATA” As shown below, Change “getFirstName” to “getCreditCard”, & click on OK.

Step 4: Now we got Credit Card number.
In Fig2, we got to know that, they are using GetCreditCard operation, so I have modified the request with GetCreditCard. Hence we got the CREDITCARD number.

Thank you all… I will be back with other blogs…!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *