Web services are responsible for online machine-to-machine communication. Computers use them to communicate with each other over the internet and internally in organizations. Web service (aka. Service Orientated Architecture) applications are up-and-coming systems which are enabling businesses to interoperate and are growing at an unprecedented rate. Webservice “clients” are generally not user web front-ends but other backend servers. It is important to notice that web services are exposed to the internet and/or internal network like any other service but can be used on HTTP, FTP, SMTP, MQ among other transport protocols. The methodology behind a penetration test of a web service is similar to that of web application penetration test. However, unlike web applications a web service is more prone to being overlooked due by organizations internal security processes.

While automated testing technology can find many flaws and vulnerabilities in web services, it takes a web service penetration test to find certain business logic flaws, problems with authorization/authentication functionalities and insufficient input validation that can lead to security breaches when left unfixed. Best practices for web service security suggest conducting a web service penetration test at least once per year for each application. This is increasingly important as more and more vulnerabilities are discovered every single day, which is why Nordic Resilience recommend regularly performing a penetration test of any web services, especially if they are externally accessible.


Similar to the security challenges associated with a web application, the challenge for any security teams is coming up with the resources for thorough annual web service penetration testing. At Nordic Resilience we offer the ability to thoroughly and cost-efficiently security audit an organization’s web services, by combining manual processes and automated scans to reduce the cost and time required for penetration testing. Our penetration tests of web services are divided into two phases.

Phase 1 is a full automated scan of the web services using multiple tools. This task sends millions of malformed and/or malicious requests, in order to provoke the web service to act in unintended ways that could lead to a vulnerability.

Phase 2 involves a manual review of the web services’ rich functionality. After the penetration tester has gathered sufficient information regarding the web service (e.g. SOAP vs REST vs JSON), a thorough manual test of the web service will be done, with creative attacks.

The methodology will follow that of OWASP’s Web Service Penetration Testing but will include additional tests from our professional experience:

Configuration and Deployment Management Testing
Specific architecture attacks (dependent on technology used)
Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Error Handling
Business Logic Testing

The deliverable consists of collecting all observed vulnerabilities into a single commercial-grade report that will contain a non-technical section for the C-suite members of the organization, as well as a technical section that will provide in-dept details regarding the vulnerabilities that were observed. Lastly, all vulnerabilities will be manually scored with a risk-assessment (CVSS or Low/Medium/High/Critical), in order to assist the organization with the priority of remediating each one.

A penetration test of a web service usually takes 4 days but this varies from application to application due to differences in complexity.