Web services attacks are increasing; a phenomenon attributed to the fast-paced evolution of web applications consuming backend web services over SOAP. UDDI, SOAP, and WSDL are the three important blocks of these new attack vectors. Several attacks are evolving around web services like UDDI enumeration, XPATH injection, XML poisoning, WSDL scanning, SOAP bruteforcing, etc. Counter-strategies in the form of a new range of defense approaches for web services with SOAP filtering, is also simultaneously evolving. Increasingly critical in such a scenario is knowledge of methodologies, attack vectors, and defense strategies before deploying web services into the corporate environment. This presentation discusses advanced web services hacking methods and defense approaches.

To perform web services assessment one needs to build tools using Perl, Python, or .NET; tools that can be leveraged to detect web services vulnerabilities. Tools like mod_security or .NET stack hooks can be used to defend web services using SOAP content filtering techniques. This presentation covers attacks in-depth with live demonstrations and several open source tools.