Application Security Platform
Scan by API type

Scan SOAP APIs for vulnerabilities

This document is for:
Invicti Platform

Invicti Platform can scan SOAP APIs. This document explains how you can import a WSDL (web services definition file) or link to a hosted location where your SOAP API definitions are held, and then scan for vulnerabilities in your SOAP APIs. For information about SOAP, refer to the section at the end of this document.

Scanning APIs in production

Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:

  • Carefully consider the permissions (authentication) you provide and which methods (PUT, POST, DELETE) are used.
  • Manually exclude API operations (methods with endpoints) from the uploaded/linked file to prevent destroying or making undesirable changes to the production application.

How to scan a SOAP API for vulnerabilities

To scan a SOAP API for vulnerabilities with Invicti Platform, you must provide the scanner with access to the API definitions. There are two ways to do this:

  • This method involves uploading a WSDL to a target.
  • This method adds a link from a target to the URL where the API definitions are located.

Once you start a scan of that target, Invicti Platform will parse the imported WSDL or access the linked URL and add the necessary SOAP requests to the scanner. The following sections outline each method and provide instructions for starting a scan of your SOAP APIs.

Option A: Import from a file

Importing a WSDL to a target means that whenever your SOAP API is updated, you will need to replace the imported WSDL file to ensure you are scanning the latest version of your SOAP API.

How to import a WSDL to a target

  1. Ensure your WSDL file is accessible for upload on the machine where you are accessing the Invicti Platform.
  • The following file formats are supported: .wsdl.
  1. Select Inventory > Targets from the left-side menu.

  1. Click the three dots (⋮) for the chosen target to which you will import the WSDL  and select Edit target.  The Configure target page will open.

  1. Click Scan Configuration to navigate to the API specification section and click the Upload specification button.

Upload API specification in Invicti Platform.

  1. Select Web Service Definition Language from the drop-down, choose your file, then click Upload file. The file will be uploaded automatically and will be listed in the API specification section of the Scan Configuration.

If you want to scan only the imported WSDL and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan.

  1. The WSDL file is now imported to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan.
  2. To initiate a scan at a later time, click Save Target Configuration. To begin scanning the target now—including the imported WSDL—click Save and Scan. Selecting Save and run scan with defaults will run a full scan automatically.

The Scan Details page loads and your scan begins according to the schedule you specified.

  • When the scan is complete, check the Vulnerabilities tab on the Scan details page for information about detected vulnerabilities in your SOAP API, which will be marked with an API tag next to the severity label.
  • Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your SOAP API.
  • For more information about viewing scan results and vulnerabilities, refer to the following documents:

Option B: Link to a URL

Linking a URL to a target means you are adding the URL of the hosted location where your SOAP API definitions are held. This allows Invicti Platform to always scan the latest version of your SOAP API without the need to provide a new WSDL each time your API is updated.

Linked URLs are accessed by the engine. This means the engine or internal agent (if using one for the target) needs to have access to any linked URLs.  

How to link a URL to a target

  1. Select Inventory > Targets from the left-side menu.

  1. Click the three dots (⋮) for the chosen target to which you will import the WSDL  and select Edit target.  The Configure target page will open.

  1. Click Scan Configuration to navigate to the API specification section and click the Link from URL button.

  1. Select Web Service Definition Language from the drop-down and enter the URL where your SOAP API definitions are hosted, then select Link API specification. It has now been linked to the target.

If you want to scan only the linked API specifications and not all the other paths belonging to the target, select Yes next to Restrict scans to imported files and save before starting the scan.

  1. The URL is now linked to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan.

  1. To initiate a scan at a later time, click Save Target Configuration. To begin scanning the target now—including the linked API specifications —click Save and Scan. Selecting Save and run scan with defaults will run a full scan automatically.

The Scan Details page loads and your scan begins according to the schedule you specified.

 

  • When the scan is complete, check the Vulnerabilities tab on the Scan details page for information about detected vulnerabilities in your SOAP API, which will be marked with an API tag next to the severity label.
  • Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your SOAP API.
  • For more information about viewing scan results and vulnerabilities, refer to the following documents:

About SOAP

Simple Object Access Protocol (SOAP) is an XML-based protocol for accessing web services over HTTP. This protocol lets different web services communicate with each other or talk to client applications that invoke them.

SOAP's messaging protocol consists of three parts:

  • an envelope that defines the message structure and how to process it
  • a set of encoding rules for expressing instances of application-defined data types
  • a convention for representing procedure calls and responses

As these web services perform their functions in the background, their security is often overlooked. They can, however, prove a fruitful attacking ground for cybercriminals. Invicti Platform can recognize the definition files and send attack payloads to identify vulnerabilities in your web application.

Share This Article