Skip to main content

WS-SM: Web Services - Secured Messaging Framework with Pluggable APIs

  • Conference paper
  • First Online:
Computational Intelligence in Data Science (ICCIDS 2020)

Abstract

Dynamic composition of web services is important in B2B applications where user requirements and business policies change and new services get added to the service registry frequently. In a dynamic composition environment, ensuring the security of messages communicated among the web services becomes challenging since, several attacks are possible on SOAP messages in the public network due to their standardized interfaces. Most of the existing works on web services security provide solutions to ensure basic security features such as confidentiality, integrity, authentication, authorization, and non-repudiation. Few existing works that provide solutions such as schema validation and schema hardening for attacks on web services do not provide attack-specific solutions. The web services security standard and all the existing works have addressed only the security of messages between a client and a single web service but not the security for messages between two services which is quite challenging. Hence, a security framework for secured messaging among web services has been proposed to provide attack-specific solutions. Since new types of web service attacks are evolving over time, the proposed security solutions are implemented as APIs that are pluggable in any server where the web service is deployed. The proposed framework has been tested for compliance with WSI-BP to demonstrate its interoperability and subjected to vulnerability testing which proved its immunity to attacks. The stress testing results revealed that the throughput decreased only by 35% achieving a good trade-off between performance and security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Layer7 Technology, (2013), http://www.layer7tech.com/solutions/web-api-attack-protection.

  2. 2.

    IBM WSSAPI, (2014), https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_wss_api.html.

  3. 3.

    Encryption Algorithm, (2014), https://www.princeton.edu/~ota/disk2/1987/8706/870612.PDF.

  4. 4.

    Principal Spoofing, (2014), https://capec.mitre.org/data/definitions/195.html.

  5. 5.

    XML Signature, (2013), http://www.xml.com/pub/a/2001/08/08/xmldsig.html.

  6. 6.

    WS-I Basic Security Profile, (2007), http://ws-i.org/Profiles/BasicProfile-2.0-2010-11-09.html.

  7. 7.

    WS-I Basic Security Profile Tool, (2009), http://www.ws-i.org/deliverables/workinggroup.aspx?wg=testingtools.

  8. 8.

    Eston, T., J. Abraham, and K. Johnson.: Dont Drop the SOAP: Real World Web Service Testing. Retrieved July 6, 2013.

  9. 9.

    WS-Attacker, (2013), http://sourceforge/p/ws-attacker/wiki/Home.

  10. 10.

    WSBang Testing Tool, (2014), https://www.isecpartners.com/tools/application-security/wsbang.aspx.

References

  1. Erl, T.: Service-Oriented Architecture concept, Technology, and Design. Pearson Education, London (2006)

    Google Scholar 

  2. Schmelzer, R., Vandersypen, T.: XML and Web Services Unleashed. Sams Publication, Chennai (2002)

    Google Scholar 

  3. Cerami, E.: Web Services Essentials: Distributed Applications with XML-RPC, SOAP, UDDI & WSDL. O’Reilly Media, Inc., Sebastopol (2002)

    Google Scholar 

  4. Singhal, A., Winograd, T., Scarfone, K.: Guide to secure web services. Technical report of National Institute of Standards and Technology, Special Publication 800-95 (2007)

    Google Scholar 

  5. Lemos, A.L., Daniel, F., Benatallah, B.: Web service composition: a survey of techniques and tools. ACM Comput. Surv. (CSUR) 48(3), 1–41 (2016). Article No. 33

    Google Scholar 

  6. Mouli, V.R., Jevitha, K.P.: Web services attacks and security - a systematic literature review. Procedia Comput. Sci. 93, 870–877 (2016)

    Google Scholar 

  7. Masood, A., Java, J.: Static analysis for web service security - tools & techniques for a secure development life cycle. In: IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1–6 (2015)

    Google Scholar 

  8. Jensen, M., Gruschka, N., Herkenhoner, R.: A survey of attacks on web services - classification and countermeasures. Comput. Sci. Res. Dev. (CSRD) 24(4), 189–197 (2009). https://doi.org/10.1007/s00450-009-0092-6

  9. Nordbotten, N.A.: XML and web services security standards. IEEE Commun. Surv. Tutorials 11(3), 4–21 (2009)

    Article  MathSciNet  Google Scholar 

  10. Alotaibi, S.J.: Toward a secure web service by using WS-security specifications. J. Comput. Theoret. Nanosci. 14(8), 3837–3842 (2017)

    Google Scholar 

  11. Thelin, J., Murray, P.J.: A public web services security framework based on current and future usage scenarios. In: International Conference on Internet Computing, pp. 825–833 (2002)

    Google Scholar 

  12. Yue, H., Tao, X.: Web services security problem in service-oriented architecture. In: International Conference on Applied Physics and Industrial Engineering, vol. 24, no. 9, pp. 1635–1641 (2001)

    Google Scholar 

  13. Kumar, R.K., Kanchana, R., Babu, C.: Security for SOAP based communication among web service. In: IJCA Proceedings on International Conference on Science. Engineering and Management (ICSEM 2013), pp. 46–51. Foundation of Computer Science, USA (2013)

    Google Scholar 

  14. Altaani, N.A., Jaradat, A.S.: Security analysis and testing in service oriented architecture. Int. J. Sci. Eng. Res. 3(2), 1–9 (1981)

    Google Scholar 

  15. Mainka, C., Somorovsky, J., Schwenk, J.: Penetration testing tool for web service security. In: IEEE 8th World Congress on Services, pp. 163–170 (2012)

    Google Scholar 

  16. Salas, M.I.P., Martins, E.: Security testing methodology for vulnerabilities detection of XSS in web services and WS-security. Electron. Notes Theoret. Comput. Sci. 302, 133–154 (2014)

    Article  Google Scholar 

  17. Lowis, L., Accorsi, R.: Vulnerability analysis in SOA-based business processes. IEEE Trans. Serv. Comput. 4(3), 230–242 (2011)

    Article  Google Scholar 

Download references

Acknowledgments

Authors would like to thank S.M. Sindhu, postgraduate student for her coding efforts.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Kanchana Rajaram .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rajaram, K., Babu, C. (2020). WS-SM: Web Services - Secured Messaging Framework with Pluggable APIs. In: Chandrabose, A., Furbach, U., Ghosh, A., Kumar M., A. (eds) Computational Intelligence in Data Science. ICCIDS 2020. IFIP Advances in Information and Communication Technology, vol 578. Springer, Cham. https://doi.org/10.1007/978-3-030-63467-4_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63467-4_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63466-7

  • Online ISBN: 978-3-030-63467-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics