SOA-Scanner: An Integrated Tool to Detect Vulnerabilities in Service-Based Infrastructures

Service Oriented Architectures are nowadays used in a wide range of organizations to support critical daily operations. Although the underlying services should behave in a secure manner, they are often deployed with bugs that can be maliciously exploited. The characteristics of service-based environments open the door to security challenges that must be handled properly, including services under the control of multiple providers and dynamism of interactions and compositions. This paper presents an extensible tool able to widely test such infrastructures for vulnerabilities. The tool is based in an iterative process that uses interface monitoring to automatically monitor and discover the existing services, resources and interactions, and applies different testing approaches depending on the level of access to each existing services. Two case studies has been developed do demonstrate the tool, and results show that the tool can effectively be used in different service-based scenarios, under different access conditions to the target services.