Review: eXamineXT

eXamineXT 2.0, contact Sales at (916) 791-3918 for pricing
Kenai Systems
Rocklin, California
(916) 783-6960  
http://www.kenaisystems.com/index.php/products/

Yes, Virginia, Web Services are still out there. The initial blush of a news story every fifteen minutes may have faded, but plenty of organizations are still busy implementing Web Services, sometimes as ad-hoc solutions to particular problems, sometimes as part of more grandiose Service-Oriented Architectures. As the market continues to grow and mature, it's inevitable that new tools will continue to appear. This week I had the fun of playing for a while with a copy of Kenai Systems' eXamineXT, which provides an attractive workbench for those whose job includes testing the security of all those new Web Services.

The tool definitely feels slick; it's got the multiple docking windows and the tabs and the nice rounded corners and hyperlinks and so on that say they had time to have a designer help out with development. But of course that's only secondary to functionality. To use eXaminXT, you first open up the WSDL for the Web Service of interest, either from a file or from the Internet. Then you can drill into it through multiple views and tabs; it's easy to see raw XML or ports or the SOAP messages or whatever else you need to see about the definition of the Web Service here. Switching between the various views is fast, and the information is presented well. eXamineXT will do helpful things like let you supply credentials in various different ways (basic, SSL, WSS username or signature or encryption) to be applied to your requests, and you can either fill in request data by hand or have the tool generate data that complies with the WSDL. Of course then it's just one click to send the request and get back the response.

It's also one click to run the WS-I basic conformance tests on your WSDL, by the way.

But the real goal here is security and privacy testing. eXamineXT comes with a built-in set of known vulnerabilities, encompassing things like information leakage and SQL injection. From these, you can build up a test suite to be applied to any individual request within the WSDL, and execute the suite with a mouse click. Then you can browse around the results and see what happened. The net effect is that you can easily and repeatably throw a lot of potentially dangerous SOAP requests at your Web Service and see what happens, and you can repeat the process after your developers have allegedly fixed the security holes. Kenai ships almost two dozen different testing profiles (sets of vulnerabilities focused on particular areas) with the product currently and promises to release more. You can also do ad hoc testing, though I don't see a way to save your own ad hoc tests to make a custom profile for later reuse.

There's a 30-day trial download available. In addition to the standalone Windows version that I looked at, Kenai also has an Eclipse plugin and a Linux version of the tool.

  Click for larger screenshot

Mike Gunderloy is the lead developer for Larkware and author of numerous books and articles on programming topics.