AppSec Europe 2016 has ended
Back To Schedule
Tuesday, June 28 • 09:00 - 17:00
Day 1/2 - Web Service and Single Sign-On Security

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Web Services and Single Sign-On belong to a group of most important Internet technologies. However, in recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data. In this training, we will give an overview of the most important Web Service and Single Sign-On specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed, and it will be shown how to deploy them on widely used systems and firewalls, including IBM Datapower or Axway.

 Training attendees

The training is dedicated to two groups:

– First, developers who implement XML, Web Services and Single Sign-On in their applications. They learn the dangers that are combined with the usage of these standards and how to circumvent the resulting attacks. In addition, they learn how to automatically test their newly developed applications for the discussed vulnerabilities.

– Second, security researchers and penetration testers, who want to get familiar with  XML, Web Services and Single Sign-On. In this course, you will get a good overview of the most relevant technologies in this complex area, which will give you the opportunity to execute your first XML-specific evaluations.

There are no specific prerequisites for this course. However, basic knowledge of tools like SoapUI or Burpsuite, or some familiarity with Web Services or SSO technologies would be of advantage.


The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using SoapUI, WS-Attacker, Burpsuite, or a different application:

  • • XML and SOAP-based Web Services
  • • XML Schema and WS-Policy
  • • WS-Addressing und WS-Addressing Spoofing
  • • XML parsing
  • • DTD and XML External Entity (XXE) attacks
  • • XSLT and XInclude attacks
  • • XML-specific Denial-of-Service attacks
  • • XML Security and WS-Security
  • • XML Signature
  • • XML Encryption and applied crypto attacks
  • • WS-Attacker
  • • SAML-based Single-Sign On
  • • OAuth
  • • REST-based Web Services
  • • Converting SOAP to REST: security dangers

– A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). 
VMWare and other virtualization software should also work but cannot be supported.

– Proposed max number of participants: 15

– Duration: 2 days

avatar for Christian Mainka

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Ruhr-University Bochum
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications... Read More →

Tuesday June 28, 2016 09:00 - 17:00 CEST
Bramante 12

Attendees (2)