The traditional Web services security testing methods are inefficient,inflexible and do not meet the complex security testing requirements and have difficulty in achieving negative testing. This paper presents a Web services security testing method based on dynamically parsing WSDLs and decomposing security functions. The method solves the problem that traditional testing methods are tightly coupled to the services under testing by dynamically parsing WSDLs. Complex security functions are divided into seven categories of atom security functions so that it can be adapted to complex security testing. It also uses a  fault injection mechanism to generate error messages. The experimental results show that the method is flexible,efficient and advanced.