SOAPtest provides the ability to test and validate the content of web services message requests and service descriptions, according to the company.
By design, web services messages using the SOAP standard rely on the Internet’s HTTP format to make them invisible to conventional firewalls.
Asked at a recent financial services industry web services conference as to whether actual malware attacks have occurred using web services, security vendors present said essentially the same thing: Nothing that’s been documented publicly.
Until recently, there have been few tools designed to isolate malware concealed in the XML payloads of web services messages. Today, most solutions are aimed at run time, with the goal of turning away hacker intrusions as they occur.
Tools include HTTP or XML firewalls from providers such as DataPower, Fortinet, Forun Systems, Reactivity, and Sarvega. Additionally, there are repository- or registry-based tools that manage policy from AmberPoint, Systinet, and SOA Software.
SOAPtest 4.0 checks for conditions including XML bombs, which contain text instructions that could choke recipient gateways with endless instructions such as divide by zero or recursive loops.
Additionally, the 4.0 tool checks for SQL injection, where databases are tricked into coughing up passwords and similar sensitive data and XPath injections, where workflows can be disrupted or spoofed to skip steps such as validating the sender.
Beyond the malware features, SOAPtest adds support of UDDI 3.0, the latest version of the registry, enabling test results to be documented as part of the metadata about a particular service or the service requests associated with it.
