Scanning SOAP APIs for vulnerabilities 

Acunetix can scan SOAP APIs. This document explains how you can import a WSDL (web services definition file) or link to a hosted location where your SOAP API definitions are held, and then scan for vulnerabilities in your SOAP APIs. For information about SOAP, refer to the section at the end of this document.

IMPORTANT: Scanning APIs in production

Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:

  • Carefully consider the permissions (authentication) you provide and which methods (PUT, POST, DELETE) are used.
  • Manually exclude API operations (methods with endpoints) from the uploaded/linked file to prevent destroying or making undesirable changes to the production application.

How to scan a SOAP API for vulnerabilities

To scan a SOAP API for vulnerabilities with Acunetix, you must provide the scanner with access to the API definitions. There are two ways to do this:

  • This method involves uploading a WSDL to a target.
  • This method adds a link from a target to the URL where the API definitions are located.

Once you start a scan of that target, Acunetix will parse the imported WSDL or access the linked URL and add the necessary SOAP requests to the scanner. The following sections outline each method and provide instructions for starting a scan of your SOAP APIs.

Option 1: Importing from a file

Importing a WSDL to a target means that whenever your SOAP API is updated, you will need to replace the imported WSDL file to ensure you are scanning the latest version of your SOAP API.

How to import a WSDL to a target

  1. Ensure your WSDL file is accessible for upload on the machine where you are accessing Acunetix.
  • The following file formats are supported: .wsdl.
  1. Log in to Acunetix and select Targets from the left-side menu.

  1. Select the target address to which you will import the WSDL. The Target Settings page will open.

  1. Scroll down to the Import Files / API Definitions section and click the upload icon in the Choose File field.

  1. Locate and select your WSDL file, then click Open.
  • The file will upload automatically and will be listed in the Import Files / API Definitions section of the Target Settings. The WSDL is now imported to the target.

TIP: If you want to scan only the imported WSDL and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan.

  1. The WSDL file is now imported to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan. For instructions, refer to Scanning authenticated APIs.
  2. Click Scan to prepare a scan of the target, including the imported WSDL.

  1. Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.

The Scan Details page loads and your scan begins according to the schedule you specified.

 

TIP:

  • When the scan is complete, check the Vulnerabilities tab on the Scan Details page for information about detected vulnerabilities in your SOAP API, which will be marked with an API tag next to the severity label.
  • Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your SOAP API.
  • For more information about viewing scan results and vulnerabilities, refer to the following documentation:

Option 2: Linking to a URL

Linking a URL to a target means you are adding the URL of the hosted location where your SOAP API definitions are held. This allows Acunetix to always scan the latest version of your SOAP API without the need to provide a new WSDL each time your API is updated.

IMPORTANT: Linked URLs are accessed by the engine. This means the engine or internal agent (if using one for the target) needs to have access to any linked URLs.  

How to link a URL to a target

  1. Log in to Acunetix and select Targets from the left-side menu.

  1. Select the target address to which you will link the URL of your API definitions. The Target Settings page will open.

  1. Scroll down to the Import Files / API Definitions section and click Link From URL.

  1. Enter the URL where your SOAP API definitions are hosted, then select Link API definition.
  • The URL will immediately be listed in the Import Files / API Definitions section of the Target Settings. It has now been linked to the target.

TIP: If you want to scan only the linked API definition and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan.

  1. The URL is now linked to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan. For instructions, refer to Scanning authenticated APIs.
  2. Click Scan to prepare a scan of the target, including the linked API definition.

  1. Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.

The Scan Details page loads and your scan begins according to the schedule you specified.

 

TIP:

  • When the scan is complete, check the Vulnerabilities tab on the Scan Details page for information about detected vulnerabilities in your SOAP API, which will be marked with an API tag next to the severity label.
  • Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your SOAP API.
  • For more information about viewing scan results and vulnerabilities, refer to the following documentation:

About SOAP

Simple Object Access Protocol (SOAP) is an XML-based protocol for accessing web services over HTTP. This protocol lets different web services communicate with each other or talk to client applications that invoke them.

SOAP's messaging protocol consists of three parts:

  • an envelope that defines the message structure and how to process it
  • a set of encoding rules for expressing instances of application-defined data types
  • a convention for representing procedure calls and responses

As these web services perform their functions in the background, their security is often overlooked. They can, however, prove a fruitful attacking ground for cybercriminals. Acunetix can recognize the definition files and send attack payloads to identify vulnerabilities in your web application.


« Back to the Acunetix Support Page