10

Does anyone know how to perform penetration testing/vulnerability assessment for Microsoft WCF services I couldn't find a tools till now , any tools available and guides are welcome

P3nT3ster
  • 877
  • 7
  • 10
  • 3
    Related: [Is WCF or Java Metro security configuration in-scope for your security department; should it be?](http://security.stackexchange.com/q/738/396) – makerofthings7 May 10 '12 at 17:51

1 Answers1

7

Beyond basic SOAP fuzzers there aren't too many advanced tools useful for pen testing of a WCF service. Since WCF/SOAP is really just a front for the underlying API you've written, you really need a tool to assess the vulnerabilities in your API, which is usually something of a custom nature.

There are tools out there like FxCop which have a very simple baseline for security analysis, but you can't rely on it entirely.

There's a great intro presentation on the OWASP site by Brian Holyfield about pen testing WCF services here: https://www.owasp.org/images/6/6c/Attacking_WCF_Web_Services-Brian_Holyfield.pdf. He lists a couple tools, but they aren't WCF/SOAP specific.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • i found this to be useful also http://www.gremwell.com/blog/pentesting_silverlight_and_wcf_ria what do you think – P3nT3ster May 13 '12 at 11:53
  • The tools it lists are pretty good. They are normally used for regular testing. – Steve May 14 '12 at 15:20