Abstract
Web services represent a powerful interface for back-end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non-vulnerable web services is still a difficult task. In fact, security-related concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC-App benchmark, showing to be 100% effective in stopping attacks, non-intrusive and very easy to use.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Curbera, F., et al.: Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI. IEEE Internet Computing 6, 86–93 (2002)
Erl, T.: Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall Professional Technical Reference (2005)
Fagan, M.: Design and code inspections to reduce errors in program development. Software pioneers: contributions to software engineering, pp. 575–607. Springer, Heidelberg (2002)
Halfond, W., Orso, A.: Preventing SQL injection attacks using AMNESIA. In: 28th interna-tional conference on Software engineering, pp. 795–798. ACM, Shanghai (2006)
Hovemeyer, D., Pugh, W.: Finding bugs is easy. ACM SIGPLAN Notices, 39 (2004)
Kiczales, G., et al.: Aspect-Oriented Programming. In: 11th European Conf. on Object-oriented Programming (1997)
Laranjeiro, N., Vieira, M., Madeira, H.: EDEL and Security Improvement for Web Services (2009), http://eden.dei.uc.pt/~cnl/papers/edel-security-tool.zip
Laranjeiro, N., Vieira, M., Madeira, H.: Improving Web Services Robustness. In: International Conference on Web Services (ICWS). IEEE Computer Society, Los Angeles (2009)
Livshits, V., Lam, M.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th conference on USENIX Security Symposium, vol. 14, p. 18. USENIX Association, Baltimore (2005)
McKinsey&Company: Enterprise Software Customer Survey (2008)
Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, Chichester (2007)
Thomas, S., Williams, L., Xie, T.: On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology 51, 589–598 (2009)
Thomas, S., Williams, L.: Using Automated Fix Generation to Secure SQL Statements. In: Third International Workshop on Software Engineering for Secure Systems (2007)
Transaction Processing Performance Council: TPC BenchmarkTM App (Application Serv-er) Standard Specification, Version 1.1 (2005), http://www.tpc.org/tpc_app/
Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: Intl. Conf. on Dependable Systems and Networks, Estoril, Lisbon (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Laranjeiro, N., Vieira, M., Madeira, H. (2009). Protecting Database Centric Web Services against SQL/XPath Injection Attacks. In: Bhowmick, S.S., Küng, J., Wagner, R. (eds) Database and Expert Systems Applications. DEXA 2009. Lecture Notes in Computer Science, vol 5690. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03573-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-03573-9_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03572-2
Online ISBN: 978-3-642-03573-9
eBook Packages: Computer ScienceComputer Science (R0)