awakenings
asked on
WSDL Accessible from the Internet?
I am more than a little skeptical here. I am being told that WSDL should be completely available from the Internet. In this case there is programming language giving away vital integrations with our system. I'm not an expert here, but this seems a little risky - especially since we have SSO accessible from the Internet. SOAP is also used in the background. I need a penetration tester here to provide additional information about the risks here.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For all,
I saw this page;
https://www.owasp.org/index.php/Testing_WSDL_(OWASP-WS-002)
To me it looks like giving the WSDL out is not handing the keys to the kingdom, but more like giving a map to the thief for once they get inside the house. This does not look like a good thing.
I saw this page;
https://www.owasp.org/index.php/Testing_WSDL_(OWASP-WS-002)
To me it looks like giving the WSDL out is not handing the keys to the kingdom, but more like giving a map to the thief for once they get inside the house. This does not look like a good thing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do not agree with the answer and I find it one sided and not taking into account the security side. I did not get to my best practice. I have to close this to ask another question so I am giving points.
I thank you for the points but the reason why the answer *appears* one sided is because WSDL does not handle security. WSDL's only purpose in life is to describe what you can access, how you can access it and what to expect when you access it.
Unless you explicitly define access, access is not granted. The only *inherited* access is that which is provided by a parent object that is marked as accessible, it is then assumed (by WSDL) that the child objects are accessible.
The reason why penetration testers use WSDL is because people who define what is accessible can provide too much information or information that really needs to require authentication in order to access it.
-saige-
Unless you explicitly define access, access is not granted. The only *inherited* access is that which is provided by a parent object that is marked as accessible, it is then assumed (by WSDL) that the child objects are accessible.
The reason why penetration testers use WSDL is because people who define what is accessible can provide too much information or information that really needs to require authentication in order to access it.
-saige-
ASKER
Thanks. I saw an article that said WSDL is used by penetration testers. This does help to gain unauthorized access having everything available to the whole Internet, correct? I am seeing more detailed connection specifics than HTTP, HTTPS, for interfacing with the application. Can this be done without presenting the information to the whole Internet? This seems a little crazy to me. I read the wikipedia article before asking the question. I am trying to look at best practices.