8.5 Case study: the tools in action 313 This response is, of course, in XML but could be used as a data source for another application to provide weather data. In this case, the response indicates that there's a high of 21 degrees Fahrenheit, a low of 14 degrees Fahrenheit, along with some snow for the latitude and longitude used. Another cold day in Minnesota. When working with web services, you'll note that the request/response nature of the transaction is very similar to that used with database queries. With that in mind, web services have many of the same vulnerabilities that databases have, including SQL injection and potential overflows based on invalid input. While there are many guidelines on how to properly secure web services, it is very common for those security practices to be missed during a rush to get the web service completed. Consequently, you should try the techniques described in Chapter 5 against web services using tools like soapUI. 8.4.5 Metasploit No tools listing would be complete without mentioning Metasploit. We've covered this tool extensively in other chapters, but it bears mentioning here as well. Meta- sploit can be used at a variety of layers when testing enterprise applications due to the sheer number of modules available in the application. Applicable attack vectors