Security Testing Methodology for Evaluation of Web Services Robustness - Case: XML Injection

2015 IEEE World Congress on Services Pub Date : 2015-06-27 DOI:10.1109/SERVICES.2015.53

M. Salas, P. Geus, E. Martins

{"title":"Security Testing Methodology for Evaluation of Web Services Robustness - Case: XML Injection","authors":"M. Salas, P. Geus, E. Martins","doi":"10.1109/SERVICES.2015.53","DOIUrl":null,"url":null,"abstract":"A Web Service is a software system designed to support interoperable machine-to-machine interaction over a network, it also provides a standard means of interoperating between different software applications. However, Web Services have raised new challenges on information security, this technology is susceptible to XML Injection attacks, which would allow an attacker to collect and manipulate information to insert malicious code in either server-side or client-side, being one of the most employed attack against web applications according to the OWASP Top 10. Different studies have shown that the current testing techniques -- penetration testing and fuzzy scanning -- generate several false positives and negatives. However, the fault injection technique improve the robustness of web applications, through the greater flexibility to modify the test cases and to find software bugs. This work describes a fault injection technique for the evaluation of Web Services robustness with WS-Security (Username Token) and the development of a set of rules for vulnerability analysis, resulting on the improvement of the vulnerability detector accuracy. Our results show that 82% of web Services tested were vulnerable to XML Injection attacks.","PeriodicalId":106002,"journal":{"name":"2015 IEEE World Congress on Services","volume":"35 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 IEEE World Congress on Services","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SERVICES.2015.53","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 16

Abstract

A Web Service is a software system designed to support interoperable machine-to-machine interaction over a network, it also provides a standard means of interoperating between different software applications. However, Web Services have raised new challenges on information security, this technology is susceptible to XML Injection attacks, which would allow an attacker to collect and manipulate information to insert malicious code in either server-side or client-side, being one of the most employed attack against web applications according to the OWASP Top 10. Different studies have shown that the current testing techniques -- penetration testing and fuzzy scanning -- generate several false positives and negatives. However, the fault injection technique improve the robustness of web applications, through the greater flexibility to modify the test cases and to find software bugs. This work describes a fault injection technique for the evaluation of Web Services robustness with WS-Security (Username Token) and the development of a set of rules for vulnerability analysis, resulting on the improvement of the vulnerability detector accuracy. Our results show that 82% of web Services tested were vulnerable to XML Injection attacks.

查看原文本刊更多论文

评估Web服务健壮性的安全测试方法。案例:XML注入

Web服务是一种软件系统，旨在通过网络支持可互操作的机器对机器交互，它还提供了不同软件应用程序之间互操作的标准方法。然而，Web服务对信息安全提出了新的挑战，这种技术很容易受到XML注入攻击，这将允许攻击者收集和操纵信息，在服务器端或客户端插入恶意代码，根据OWASP前10名，这是针对Web应用程序最常用的攻击之一。不同的研究表明，目前的测试技术——渗透测试和模糊扫描——会产生一些假阳性和假阴性。然而，故障注入技术通过更大的灵活性来修改测试用例和发现软件错误，从而提高了web应用程序的鲁棒性。本文描述了一种基于WS-Security (Username Token)的Web服务鲁棒性评估的故障注入技术，并开发了一套漏洞分析规则，从而提高了漏洞检测的准确性。我们的结果显示，82%的web服务容易受到XML注入攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 IEEE World Congress on Services

自引率

0.00%

发文量