« Kim Cameron Weighs in on the Epic Battle | Main | Volcker Endorses Obama »


Rogan Dawes

Hi Gunnar

Unfortunately, WebScarab is not really suited for fuzzing WebServices stuff at the moment. It assumes that anything that has a body is formatted using form-urlencoding.

You could possibly script it, but that would be a huge amount of work (basically duplicating the Fuzzer), and is probably not recommended.


Hi Rogan,

We don't use it for soap web services, we use it for rest style web services which rely on HTTP Get

Mamoon Yunus

Hi Gunnar:

Great Job in putting this training together - it's imperative for SOA professionals to get serious about security early within the development lifecycle.

I would recommend that you look at SOAPSonar from Crosscheck Networks (http://www.crosschecknet.com). SOAPSonar covers comprehensive security testing with standards support such as WS-Trust, SAML, WS-Security, WS-Addressing, etc. It has comprehensive Functional, Performance, Interop and Vulnerability Testing through what they call "XSD Mutation."

You can use a 15-day trial version for free.

Good luck with this class - I will recommend it to my customers/prospects and post it on my blog http://soa-testing.blogspot.com.



How about talking about use of SAML/XACML as built into BEA container? What about some mention of why WS-Federation is better than SAML?


Hi James,

We look at SAML/XACML in Bandit. I would like to add WS-Fed soon as well...

The comments to this entry are closed.