I've done tests on a number of web services and like most rank and file testers there are always several issues identified.
Of course step 0 in testing a web servicee (within a 2 week window) is either discovering the WSDL or having it handed to you.
While OFX is an open standard, the implementation remains somewhat shrouded in secrecy. I'm not exactly sure why at this point, but I'm finding out more than I ever wanted about this specification.
Oh yeah...another interesting part of the journey has been finding out that common OFX clients, like microsoft money and quicken, generally fail safe when a certificate chain cannot be validated....which is good I guess. So it makes it harder to use burp or webscarab to reverse engineer the WSDL due to cert chain validation issues these tools introduce.
I have started looking at http flows from wireshark and using them as input for burp. I'm also writing some tools to automate some of this. I'm not looking forward to going through all this again when another OFX test comes up.
Stay tuned.
I'll be
-
Posts
No comments:
Post a Comment