Scanning SOAP API Web Services

Acunetix 360 identifies vulnerabilities and security issues automatically in a SOAP web service.

Simple Object Access Protocol (SOAP) is an XML-based protocol for accessing web services over HTTP. This protocol lets different web services communicate with each other or talk to client applications that invoke them.

SOAP's messaging protocol consists of three parts:

  • an envelope that defines the message structure and how to process it
  • a set of encoding rules for expressing instances of application-defined data types
  • a convention for representing procedure calls and responses

As these web services perform their functions in the background, their security is often overlooked. They can, however, prove a fruitful attacking ground for cybercriminals. Acunetix 360 can identify the definition files and send attack payloads to identify vulnerabilities in your web application.

Acunetix 360 supports the following web service standards:

This topic explains how to scan your web application to identify SOAP-related vulnerabilities.

Scanning a SOAP API Web Service for Vulnerabilities

The WSDL files do not necessarily need to be served on the target server for Acunetix 360 to be able to scan a web service. If you have disabled WSDL generation on your production servers because of security concerns, you can import the WSDL file to Acunetix 360 before starting the scan. Acunetix 360 will parse the imported WSDL document and add the necessary SOAP requests to the scanner.

There are three ways to scan a SOAP API Web Services.

  • Importing the WSDL schema from the file to Acunetix 360
  • Importing the WSDL schema from the URL to Acunetix 360
  • Automating the discovery of SOAP APIs during crawling

Information

  • The From File option lets you import your document to Acunetix 360. This requires you to import the file over and over again whenever you update your web service.
  • The From URL option lets you provide a link for the definition file, so you do not need to import it again to Acunetix 360 whenever you update your web service. For further information, see Importing links and API definitions.

Importing the WSDL schema from the file to Acunetix 360

How to import WSDL Schema from the file in Acunetix 360
  1. Log in to Acunetix 360.
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings section, select Links/API Definitions.
  4. From the From File section, select Web Service Definition Language (WSDL).

  1. From the opened window, select the schema file. Then, select Open.
  2. Once the scanner imports all the schema you can see them in the list of Imported Links as seen in the screenshot.
  3. Select Launch to start the scan.

Importing the WSDL schema from the URL to Acunetix 360

How to import WSDL Schema from the URL in Acunetix 360
  1. Log in to Acunetix 360.
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings section, select Links/API Definitions.
  4. From the From URL section, select Web Service Definition Language.

  1. From the Add an URL dialog, enter the URL.
  2. Select OK to import the definition file from the URL to Acunetix 360.
  3. Select Launch to start the scan.

Automating the discovery of SOAP APIs during crawling

Acunetix 360 automatically imports, crawls, and scans a SOAP API web service if the scanner identifies the web service during a scan. Once the scanner identifies the definition file, it starts sending attack payloads to detect vulnerabilities.

When the scanner identifies a SOAP API web service during a crawl it will also report it in the Knowledge Base node. This is what the SOAP APIs node looks like in the Knowledge Base section of the Technical Report in Acunetix 360.


 
« Back to the Acunetix Support Page