Testing Applications for use of Web Services - web-services

1) Is it possible using burp suite/ ZAP or any other web testing tools to find out
if an application is making calls to web services?
2) As SOAP web services reply in XML is it also possible to view the responses of
the HTML request to distinguish between use of REST web services?
Thanks

Yes, this is normally possible.
You need to configure the application to use the interactive proxy (Burp, Zap, etc.) as its proxy. Most applications will use your system proxy settings.
Once the proxy is configured, you can see a full history of HTTP interactions (in Burp: Proxy > HTTP History). This includes requests and responses, which will clearly indicate a SOAP or REST service.

Related

Web Service , Web API , API What are All These?

I found So many Answers but haven't got one suits my (Basic) "Knowledge"
These are Troubling For me , kindly Guide me
I know what API is (from the local concept like GetCursorPos() winApi of user32.dll)
Q: what is WebApi ?
Ans : web API is a API which is exposed via the web
Q:what is WebService ?
Ans : is a software function provided at a network address over the web
My Doubts:
is a WebApi used to Achieve a Service through web ? Acess a WebService ?
What Differs WebService and Web API ?
The Following Makes me again Weird :
A Web services describes a standardized way of integrating Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone.
A web API is a development in web services where emphasis has been moving to simpler representational state transfer (REST) based communications
Then What is this Web API For ?
Also Seen that WebServices = API + Http ( Api refers to Web Api? )
What are Web Service API ?
Web Services:
To achieve the platform interoperability Web Services are being used, and it is a SOA based. It follows standards like WSDL,SOAP, UDDI and so on. WSDL passed through SOAP protocol and will be accessed by clients, by having stubs generated out of WSDL.
Web API:
Now a days a new paradigm of achieve the platform independent services are done by RESTful web services or Web API's. It rely on HTTP protocol, and these services will be accessed by HTTP clients like browser or a HTTP client code. WebAPI is an another name to describe these both client and server API's.
Hope it makes clear

Fiddler intercept http Requests TO my Weblogic server?

I have a app running on WebLogic, which exposes some web services for an external client to call. I do not control the WebLogic app, but would like to see what requests it is getting. Is there any good way to do this with Fiddler?
I would recommend using wireshark (previously known as Ethereal).

Security of SOAP based web service in Java, Netbeans, Tomcat

I have created an android application that calls (using kSOAP library) a SOAP based web service (developed in java, netbeans) over the intranet.
Now i want to make the application live, so this will require my web service to be exposed on the internet.
I have following questions...
How do i make sure that no one knows about the web service link except my android application
No one is able to call the web service except my android application
The data transferred between android application and web service is secure and encrypted
What kind of authentication mechanism should be used
I'm new to web services security so forgive me if my questions are dumb :)
This is impossible. Anyone having your app might use a traffic analyzer like wireshark and see all the requests it makes.
Sign each request you app makes(add some soap header) and check the signature on the server side
Use HTTPS
How to do authentication using SOAP?

Forwarding web services through JMS

I'm trying to figure out how to forward web service requests from the web server to a remote application server through jms.
In my architecture there are web services client which communicate with some web server (Tomcat) which needs to forward the request to be executed on a remote application server and at the end get the result and push it back to the web service client.
Something like:
Web Service Client <-> HTTP <-> Tomcat <-> JMS <-> Application Server.
I want to use jax-ws so my methods will be called automatically in the application server.
Although I've expected this will be common approach, I didn't find any examples.
I would appreciate if someone can provide some links or tips on how such a configuration can be built.
Currently I'm using Metro but any other solution is valid as well.
Another aspect which I'm interested in, is whether I can use the fast-infoset over JMS to increase performance.
Thanks in advance,
Avner
you can try wso2MB as a JMS provider ...Check following links, would be useful
[1]http://wso2.org/library/message-broker
[2]http://pzf.fremantle.org/2011/04/introduction-to-wso2-message-broker_05.html
One option to solve it is using Apache Camel.
Then you can configure such a thing with an XML configuration file.

What's the difference between WSDL,DISCO and EVENT?

All of them are web services, but what's the difference?
WSDL (Web Service Description Language) is a standard notatation for describing a Web Service in xml.
DISCO is a tool for querying SOAP and similar services and extracting useful information from the WSDL provied.
EVENTs is a proposed standard which uses WSDL and extends WSDL to support publish subcribe type event driven processes.
WSDL:
WSDL is a markup language that describes the web service. In order to use this Web service, the Client application developers need to know the methods exposed by the Web service and the parameters to be passed to these methods. It is imperative that access to these methodologies is available at development time and it is just this need that WSDL addresses.
DISCO:
The Web Service Discovery Tool (DISCO) is used to discover the URLs of XML Web Services located on a Web server and saves documents related to each XML service on a local disk. The DISCO takes the URL and discovers and produce publishes discovery documents (.wsdl, .xsd, .disco and .dicomap files) as arguments. Some of the options available for use with this tool are:
/d[omain]:domain - Specifies the domain name to use when connecting to a proxy server that requires authentication
/nosave - Does not save the discovered document or results
/nologo - Suppresses the Microsoft startup banner display
/o[ut]:directoryName - Specifies the output directory in which to save the discovered documents. Current directory is the default one.
/p[assword]:password - Specifies the password to use when connecting to a proxy server
/proxy:url - Specifies the URL of the proxy server to use for HTTP requests.
DISCO is a tool, not a web service itself.
EVENT:
if you mean to WS-Eventing, see here.
UDDI- UDDI is a central directory. It will have web services listed from multiple domain and servers.
DISCO- Disco contain web services listed from one domain and server.By which particular web service can be selected.
WSDL- It describe the rules or grammar for the function that are exposed in the web services.