Scan SOAP APIs for vulnerabilities
Invicti Platform can scan SOAP APIs. This document explains how you can import a WSDL (web services definition file) or link to a hosted location where your SOAP API definitions are held, and then scan for vulnerabilities in your SOAP APIs. For information about SOAP, refer to the section at the end of this document.
Scanning APIs in production Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:
|
How to scan a SOAP API for vulnerabilities
To scan a SOAP API for vulnerabilities with Invicti Platform, you must provide the scanner with access to the API definitions. There are two ways to do this:
- Option A: Import from a file
- This method involves uploading a WSDL to a target.
- Option B: Link to a URL
- This method adds a link from a target to the URL where the API definitions are located.
Once you start a scan of that target, Invicti Platform will parse the imported WSDL or access the linked URL and add the necessary SOAP requests to the scanner. The following sections outline each method and provide instructions for starting a scan of your SOAP APIs.
Option A: Import from a file
Importing a WSDL to a target means that whenever your SOAP API is updated, you will need to replace the imported WSDL file to ensure you are scanning the latest version of your SOAP API.
How to import a WSDL to a target
- Ensure your WSDL file is accessible for upload on the machine where you are accessing the Invicti Platform.
- The following file formats are supported: .wsdl.
- Select Inventory > Targets from the left-side menu.
- Click the three dots (⋮) for the chosen target to which you will import the WSDL and select Edit target. The Configure target page will open.
- Click Scan Configuration to navigate to the API specification section and click the Upload specification button.
- Select Web Service Definition Language from the drop-down, choose your file, then click Upload file. The file will be uploaded automatically and will be listed in the API specification section of the Scan Configuration.
If you want to scan only the imported WSDL and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan. |
- The WSDL file is now imported to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan.
- To initiate a scan at a later time, click Save Target Configuration. To begin scanning the target now—including the imported WSDL—click Save and Scan. Selecting Save and run scan with defaults will run a full scan automatically.
The Scan Details page loads and your scan begins according to the schedule you specified.
|
Option B: Link to a URL
Linking a URL to a target means you are adding the URL of the hosted location where your SOAP API definitions are held. This allows Invicti Platform to always scan the latest version of your SOAP API without the need to provide a new WSDL each time your API is updated.
Linked URLs are accessed by the engine. This means the engine or internal agent (if using one for the target) needs to have access to any linked URLs. |
How to link a URL to a target
- Select Inventory > Targets from the left-side menu.
- Click the three dots (⋮) for the chosen target to which you will import the WSDL and select Edit target. The Configure target page will open.
- Click Scan Configuration to navigate to the API specification section and click the Link from URL button.
- Select Web Service Definition Language from the drop-down and enter the URL where your SOAP API definitions are hosted, then select Link API specification. It has now been linked to the target.
If you want to scan only the linked API specifications and not all the other paths belonging to the target, select Yes next to Restrict scans to imported files and save before starting the scan. |
- The URL is now linked to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan.
- To initiate a scan at a later time, click Save Target Configuration. To begin scanning the target now—including the linked API specifications —click Save and Scan. Selecting Save and run scan with defaults will run a full scan automatically.
The Scan Details page loads and your scan begins according to the schedule you specified.
|
About SOAP
Simple Object Access Protocol (SOAP) is an XML-based protocol for accessing web services over HTTP. This protocol lets different web services communicate with each other or talk to client applications that invoke them.
SOAP's messaging protocol consists of three parts:
- an envelope that defines the message structure and how to process it
- a set of encoding rules for expressing instances of application-defined data types
- a convention for representing procedure calls and responses
As these web services perform their functions in the background, their security is often overlooked. They can, however, prove a fruitful attacking ground for cybercriminals. Invicti Platform can recognize the definition files and send attack payloads to identify vulnerabilities in your web application.