I was recently given the task of ensuring that a Silverlight+RIA application that could contain private information was secure for deployment to a public web site. So I started searching for automated pen-testing tools that could work against Microsoft’s Binary SOAP protocol (
application/soap+msbin1) and found only disappointment. For various reasons, it’s significantly more complex to pen-test an application using
msbin1 than traditional
To properly test the services, I had to make a compromise: temporarily modify the application to expose a
SOAP endpoint. While this changes the state of the application and thus reduces the validity of the tests, it does provide a reasonable way of testing the web services to ensure that they are behaving as intended.
The recently released SoapUI Pro 4 adds new security testing tools that makes this a viable (and attractive option). To get this working, there are a few small changes that need to be made to the solution:
First, you’ll need to add a reference to
Microsoft.ServiceModel.DomainServices.Hosting.EndPoints which is part of the RIA Services Toolkit; this allows you to expose different End Points for the service such as
Next, you’ll want to add the following
configSections entry to your
Finally, to expose the
SOAP end point:
Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
Finally, just follow the instructions for SoapUI to set up your tests, and you can feel (just a little) more confident in your application. Passing with flying colors obviously doesn’t mean your application is bulletproof, but it helps to confirm that web service code is solid.
Now, while this does provide some insight into your application and should help find common issues, it’s not a replacement for a professional assessment by a qualified auditor. If you are handling credit cards or other highly targeted information, please consult a security specialist before a public deployment.
Update: Another option is a Burp plug-in offered by Gotham Digital Science, and can be found here. It’s a more complex workflow, but allows testing without an exposed SOAP end-point – which is great if you don’t have source code access.