Abstract
Dynamic composition of web services is important in B2B applications where user requirements and business policies change and new services get added to the service registry frequently. In a dynamic composition environment, ensuring the security of messages communicated among the web services becomes challenging since, several attacks are possible on SOAP messages in the public network due to their standardized interfaces. Most of the existing works on web services security provide solutions to ensure basic security features such as confidentiality, integrity, authentication, authorization, and non-repudiation. Few existing works that provide solutions such as schema validation and schema hardening for attacks on web services do not provide attack-specific solutions. The web services security standard and all the existing works have addressed only the security of messages between a client and a single web service but not the security for messages between two services which is quite challenging. Hence, a security framework for secured messaging among web services has been proposed to provide attack-specific solutions. Since new types of web service attacks are evolving over time, the proposed security solutions are implemented as APIs that are pluggable in any server where the web service is deployed. The proposed framework has been tested for compliance with WSI-BP to demonstrate its interoperability and subjected to vulnerability testing which proved its immunity to attacks. The stress testing results revealed that the throughput decreased only by 35% achieving a good trade-off between performance and security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Layer7 Technology, (2013), http://www.layer7tech.com/solutions/web-api-attack-protection.
- 2.
- 3.
Encryption Algorithm, (2014), https://www.princeton.edu/~ota/disk2/1987/8706/870612.PDF.
- 4.
Principal Spoofing, (2014), https://capec.mitre.org/data/definitions/195.html.
- 5.
XML Signature, (2013), http://www.xml.com/pub/a/2001/08/08/xmldsig.html.
- 6.
WS-I Basic Security Profile, (2007), http://ws-i.org/Profiles/BasicProfile-2.0-2010-11-09.html.
- 7.
WS-I Basic Security Profile Tool, (2009), http://www.ws-i.org/deliverables/workinggroup.aspx?wg=testingtools.
- 8.
Eston, T., J. Abraham, and K. Johnson.: Dont Drop the SOAP: Real World Web Service Testing. Retrieved July 6, 2013.
- 9.
WS-Attacker, (2013), http://sourceforge/p/ws-attacker/wiki/Home.
- 10.
WSBang Testing Tool, (2014), https://www.isecpartners.com/tools/application-security/wsbang.aspx.
References
Erl, T.: Service-Oriented Architecture concept, Technology, and Design. Pearson Education, London (2006)
Schmelzer, R., Vandersypen, T.: XML and Web Services Unleashed. Sams Publication, Chennai (2002)
Cerami, E.: Web Services Essentials: Distributed Applications with XML-RPC, SOAP, UDDI & WSDL. O’Reilly Media, Inc., Sebastopol (2002)
Singhal, A., Winograd, T., Scarfone, K.: Guide to secure web services. Technical report of National Institute of Standards and Technology, Special Publication 800-95 (2007)
Lemos, A.L., Daniel, F., Benatallah, B.: Web service composition: a survey of techniques and tools. ACM Comput. Surv. (CSUR) 48(3), 1–41 (2016). Article No. 33
Mouli, V.R., Jevitha, K.P.: Web services attacks and security - a systematic literature review. Procedia Comput. Sci. 93, 870–877 (2016)
Masood, A., Java, J.: Static analysis for web service security - tools & techniques for a secure development life cycle. In: IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1–6 (2015)
Jensen, M., Gruschka, N., Herkenhoner, R.: A survey of attacks on web services - classification and countermeasures. Comput. Sci. Res. Dev. (CSRD) 24(4), 189–197 (2009). https://doi.org/10.1007/s00450-009-0092-6
Nordbotten, N.A.: XML and web services security standards. IEEE Commun. Surv. Tutorials 11(3), 4–21 (2009)
Alotaibi, S.J.: Toward a secure web service by using WS-security specifications. J. Comput. Theoret. Nanosci. 14(8), 3837–3842 (2017)
Thelin, J., Murray, P.J.: A public web services security framework based on current and future usage scenarios. In: International Conference on Internet Computing, pp. 825–833 (2002)
Yue, H., Tao, X.: Web services security problem in service-oriented architecture. In: International Conference on Applied Physics and Industrial Engineering, vol. 24, no. 9, pp. 1635–1641 (2001)
Kumar, R.K., Kanchana, R., Babu, C.: Security for SOAP based communication among web service. In: IJCA Proceedings on International Conference on Science. Engineering and Management (ICSEM 2013), pp. 46–51. Foundation of Computer Science, USA (2013)
Altaani, N.A., Jaradat, A.S.: Security analysis and testing in service oriented architecture. Int. J. Sci. Eng. Res. 3(2), 1–9 (1981)
Mainka, C., Somorovsky, J., Schwenk, J.: Penetration testing tool for web service security. In: IEEE 8th World Congress on Services, pp. 163–170 (2012)
Salas, M.I.P., Martins, E.: Security testing methodology for vulnerabilities detection of XSS in web services and WS-security. Electron. Notes Theoret. Comput. Sci. 302, 133–154 (2014)
Lowis, L., Accorsi, R.: Vulnerability analysis in SOA-based business processes. IEEE Trans. Serv. Comput. 4(3), 230–242 (2011)
Acknowledgments
Authors would like to thank S.M. Sindhu, postgraduate student for her coding efforts.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Rajaram, K., Babu, C. (2020). WS-SM: Web Services - Secured Messaging Framework with Pluggable APIs. In: Chandrabose, A., Furbach, U., Ghosh, A., Kumar M., A. (eds) Computational Intelligence in Data Science. ICCIDS 2020. IFIP Advances in Information and Communication Technology, vol 578. Springer, Cham. https://doi.org/10.1007/978-3-030-63467-4_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-63467-4_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63466-7
Online ISBN: 978-3-030-63467-4
eBook Packages: Computer ScienceComputer Science (R0)