Launches WSDigger, a new open source tool designed to help identify vulnerabilities in web services implementations.

McAfee, Inc., a provider of Intrusion Prevention and Security Risk Management, today announced that its security services group, Foundstone Professional Services, has launched WSDigger, a new open source tool designed to help identify vulnerabilities in web services implementations.

The Foundstone WSDigger tool automates black box-style web services security testing, also known as penetration testing. According to McAfee, by releasing the testing framework as an open source tool, users are encouraged to develop and share their own plug-ins. WSDigger 1.0 contains sample attack plug-ins for SQL injection, cross-site scripting, and X-PATH injection attacks. Users can also write their own plug-ins to customize or enhance the tool for tailored applications.

WSDigger has been designed to take a black box penetration testing approach, imitating a malicious user without internal knowledge of the code that drives the web service, says the company. It operates as a web service client, self-assessing how to interact with the web service and prompting the user to make decisions. The tool's process framework can be broken down into four easy steps: service discovery, attack vector discovery, exploit testing, and analysis.

"We have seen considerable interest and need for tools and services to protect web services. This tool is designed to support the testing of the latest security standards, which can pose significant challenges for organizations to incorporate," said Kartik Trivedi, principal consultant for McAfee. "By offering WSDigger 1.0 as a free and open source tool, McAfee reinforces its commitment to deliver security solutions to the mass market for the latest security threats."

The tool along with the source code can be downloaded from Foundstone's website.