SIFT Web Method Search Tool

Use Netsparker


SIFT has just published a world-first tool for identifying rogue web methods. The Web Method Search tool is a Windows based application that uses a hybrid dictionary attack in an attempt to find unpublished administrative and other web services functions.

As web services are becoming more prevalent, poor security practices from previous generations of application architectures are being transferred to the web service space. One of these practices is the use of ‘security through obscurity’ to hide certain web methods from users – that is, web methods exist that can be called, but that are not published in the WSDL or otherwise disclosed.

The SIFT Web Method Search tool is a dictionary attack tool that can be used to brute force the web method names for a given web service under certain circumstances. That is, SOAP requests can be submitted to a web service using probable combinations of words to allow the identification of hidden web methods not published in the corresponding WSDL document. This is possible because responses to requests for non-existent web methods and web methods that exist differ markedly under most platforms.

The tool is available for download from http://www.sift.com.au/73/171/sift-web-method-search-tool.htm

Should anyone have any questions, bug reports or other suggestions please feel free to contact us via research@sift.com.au

Posted in: Hacking Tools, Web Hacking

, , , ,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


Comments are closed.