Now let's take a real time example of security testing a web service to be tested: the authentication service.
Web service functionality: The authentication service takes as input, username and password and validates whether the credentials are correct or not.
The test to be configured for this service:
SQL injection
XPath injection
Boundary values scan
Why should we use these? Why the preceding scans only?
Well as we can see, the service is an authentication service and takes as input, username and password. When an attacker attacks this service, it will test techniques to gain unauthorized access to the systems, therefore we use the following attack types to test the service:
SQL injection
XPath injection
Boundary value scans.
Request of the service:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v1="http://xyz/xsd/resource/common/commondefinitions/msf/messagecontext/v1" xmlns:v11="http://xyz/xsd/interface...