Web services security test
-> Try to ensure that no error messages revealing important information about the service that can be used in an attack. Do 'forbidden' call to produce error messages.
-> Are only approved systems supposed to use the service - test that no one else can access it.
-> Ensure that data are validated, so that only the necessary data to be fed into the service are treated. Should I enter a phone number there are no reason to accept characters other than numbers (except perhaps a "+" sign).
-> Ensure that all data that can be fed into the service is verified so that no non-approved characters can be entered. Follow what is documented in the security policy
- As an example you might want to prevent characters like %, &, ", \,, (,), [,] =.
- There may also be reasons to prevent SQL-like commands such as where, update, insert.
- Similarly, there may be a similar operating system commands that need to be filtered.
-> Try to ensure that there is a limit on how large amounts of data that can be entered. Eg can a check be made to all parameters so that you can not enter more than 250 characters.
-> Ask an security expert to review in order to secure that no unnecessary ports are opened, that the latest security patches are installed, etc.