Detection of second order vulnerabilities in web services

The invention claimed is: 1. A system comprising: a processor configured to initiate executable operations comprising: determining whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service; responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability; determining a trusted identity to which identity of the requester is compared; and submitting a payload to the Web service while impersonating the trusted identity. 2. The system of claim 1 , wherein the processor is further configured to initiate executable operations comprising: defeating identity verification within the Web service; and defeating identity decryption within the Web service. 3. The system of claim 1 , wherein the processor is further configured to initiate executable operations comprising: comparing a response to the payload from the Web service with an expected response; and indicating whether the Web service has a vulnerability according to the comparing. 4. A computer program product for detecting a vulnerability in a Web service, the computer program product comprising: a hardware storage device having computer readable program code embodied therewith, the computer readable program code comprising: computer readable program code configured to determine whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service; and computer readable program code configured to, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicate that the Web service has a potential vulnerability; computer readable program code configured to determine a trusted identity to which identity of the requester is compared; and computer readable program code configured to submit a payload to the Web service while impersonating the trusted identity. 5. The computer program product of claim 4 , further comprising: computer readable program code configured to defeat identity verification within the Web service. 6. The computer program product of claim 4 , further comprising: computer readable program code configured to defeat identity decryption within the Web service. 7. The computer program product of claim 4 , further comprising: computer readable program code configured to compare a response to the payload from the Web service with an expected response; and computer readable program code configured to indicate whether the Web service has a vulnerability according to the comparing. 8. The computer program product of claim 4 , further comprising: computer readable program code configured to locate a seed instruction in the program code of the Web service in which identity of the requester is determined; and computer readable program code configured to determine whether a value of the seed instruction that indicates identity of the requestor is determinative in selecting one of the plurality of paths for the branch.