Skip to main content
SpringerLink
Log in

Designing vulnerability testing tools for web services: approach, components, and tools

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

This paper proposes a generic approach for designing vulnerability testing tools for web services, which includes the definition of the testing procedure and the tool components. Based on the proposed approach, we present the design of three innovative testing tools that implement three complementary techniques (improved penetration testing, attack signatures and interface monitoring, and runtime anomaly detection) for detecting injection vulnerabilities, thus offering an extensive support for different scenarios. A case study has been designed to demonstrate the tools for the particular case of SQL Injection vulnerabilities. The experimental evaluation demonstrates that the tools can effectively be used in different scenarios and that they outperform well-known commercial tools by achieving higher detection coverage and lower false-positive rates.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Alonso, G.: Web Services: Concepts, Architectures and Applications. Springer Verlag, Berlin (2004)

    Book  MATH  Google Scholar 

  2. Christey, S., Martin, R.A.: Vulnerability type distributions in CVE, V1. 0 10, 04 (2006)

  3. Zanero, S., Carettoni, L., Zanchetta, M.: Automatic Detection of Web Application Security Flaws, Black Hat Briefings (2005)

  4. Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: IEEE/IFIP International Conference on Dependable Systems & Networks, DSN’09. (Estoril, Lisbon, Portugal, 2009), pp. 566–571 (2009). doi:10.1109/DSN.2009.5270294

  5. Council, T.P.P.: TPC BenchmarkTM App (application server) Standard Specification, Version 1.3. http://www.tpc.org/tpc_app/ (2008)

  6. Meier, W.: Web, Web-Services, and Database Systems. In: Chaudhri, A.B., Jeckle, M., Rahm, E., Unland, R. (ed.) No. 2593 in Lecture Notes in Computer Science, pp. 169–183. Springer, Berlin Heidelberg (2003)

  7. Fonseca, J., Vieira, M., Madeira, H.: Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007) (Melbourne, Australia, 2007), pp. 365–372 (2007). doi:10.1109/PRDC.2007.55

  8. Antunes, N., Vieira, M.: Benchmarking Vulnerability Detection Tools for Web Services. In: IEEE Eighth International Conference on Web Services (ICWS 2010) (Miami, Florida, 2010), pp. 203–210 (2010). doi:10.1109/ICWS.2010.76

  9. Antunes, N., Vieira, M.: Detecting SQL Injection Vulnerabilities in Web Services. In: Fourth Latin-American Symposium on Dependable Computing 2009 (LADC ’09), pp. 17–24. IEEE Computer Society, Joao Pessoa, Brazil (2009). doi:10.1109/LADC.2009.21

  10. Antunes, N., Vieira, M.: Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services. In: 2011 IEEE International Conference on Services Computing (SCC) (IEEE, 2011), pp. 104–111 (2011). doi:10.1109/SCC.2011.67

  11. Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services. In: 2009 IEEE International Conference on Services Computing (SCC 2009) (Bangalore, India, 2009), pp. 260–267 (2009). doi:10.1109/SCC.2009.23

  12. Chappell, D.A., Jewell, T.: Java Web Services. O’Reilly & Associates Inc, Sebastopol (2002)

    Google Scholar 

  13. Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Service Definition Language (WSDL) 1.1. http://www.w3.org/TR/wsdl (2001)

  14. Richardson, L., Ruby, S.: RESTful Web Services. O’Reilly Media, Inc, Sebastopol (2007)

    Google Scholar 

  15. OWASP Foundation, OWASP top 10 2013. Tech. rep., Open Web Application Security Project (2013)

  16. Foundation, O.: Open Web Application Security Project. http://www.owasp.org/ (2001)

  17. Acunetix. 70 % of Websites at Immediate Risk of Being Hacked! http://www.acunetix.com/news/security-audit-results.htm (2007)

  18. NTA Monitor, Annual Web Application Security Report. Tech. rep. (2011)

  19. Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, Hoboken (2007)

    Google Scholar 

  20. Fogie, S., et al.: XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing, Burlington (2007)

    Google Scholar 

  21. Jensen, M., Gruschka, N., Herkenhoner, R., Luttenberger, N.: SOA and Web Services: New Technologies, New Standards—New Attacks. In: Fifth European Conference on Web Services. ECOWS ’07, pp. 35–44 (2007)

  22. OWASP Testing Project: Testing for web services—OWASP testing guide v3. Tech. rep, Open Web Application Security Project (2008)

  23. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-box Web Application Vulnerability Testing. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 332–345 (2010)

  24. I.C.S.S.S.E.S. Committee, 1012-2012—IEEE Standard for System and Software Verification and Validation, IEEE standard 1012-2012 edn. (IEEE Computer Society)

  25. Myers, G.J., Sandler, C., Badgett, T.: The Art of Software Testing. Wiley, Hoboken (2011)

    Google Scholar 

  26. HP. HP WebInspect. https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200 (2008)

  27. IBM. IBM Rational AppScan. http://www-01.ibm.com/software/awdtools/appscan/ (2008)

  28. Acunetix. Acunetix Web Vulnerability Scanner. http://www.acunetix.com/vulnerability-scanner/ (2008)

  29. I. Foundstone. Foundstone WSDigger. http://www.foundstone.com/us/resources/proddesc/wsdigger.htm (2005)

  30. OWASP Foundation. OWASP WSFuzzer Project. http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project (2008)

  31. Huang, Y., Huang, S., Lin, T., Tsai, C.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. In: Proceedings of the 12th International Conference on World Wide Web (ACM, Budapest, Hungary, 2003), pp. 148–159 (2003)

  32. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: Proceedings of the 15th International Conference on World Wide Web (ACM, New York, NY, 2006), p. 247256 (2006). doi:10.1145/1135777.1135817

  33. Doup, A., Cova, M., Vigna, G.: In: Detection of Intrusions and Malware, and Vulnerability Assessment. no. 6201 in Lecture Notes in Computer Science (Springer Berlin Heidelberg, 2010), pp. 111–131 (2010)

  34. Doliner, M.: Cobertura. http://cobertura.sourceforge.net/ (2006)

  35. Atlassian. Clover—Code Coverage for Java. http://www.atlassian.com/software/clover/ (2010)

  36. Balzarotti, D., et al.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Symposium on Security and Privacy. SP 2008, 66, pp. 387–401 (2008). doi:10.1109/SP.2008.22

  37. Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications, In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’06, 41 (ACM, New York, NY, 2006), POPL ’06, p. 372382 (2006). doi:10.1145/1111037.1111070

  38. Halfond, W., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, p. 183 (2005)

  39. Laranjeiro, N., Vieira, M., Madeira, H.: A Technique for Deploying Robust Web Services. IEEE Transactions on Services Computing PP(99), 1 (2012). doi:10.1109/TSC.2012.39

  40. Kaner, C.: Software Negligence and Testing Coverage. In: Proceedings of STAR 96: The Fifth International Conference on Software Testing Analysis and Review (Orlando, FL, 1996), pp. 299–327 (1996)

  41. Kindy, D., Pathan, A.S.: A Survey on SQL Injection: Vulnerabilities, Attacks, and Prevention Techniques. In: 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), pp. 468–471 (2011). doi:10.1109/ISCE.2011.5973873

  42. Vieira, M., Laranjeiro, N., Madeira, H.: Assessing Robustness of Web-services Infrastructures. In: 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN’07, pp. 131–136 (2007)

  43. eviware. soapUI. http://www.soapui.org/ (2008)

  44. Shema, M.: Seven Deadliest Web Application Attacks. Syngress, Burlington (2010)

    Google Scholar 

  45. Halfond, W.G., Viegas, J., Orso, A.: A Classification of SQL-injection Attacks and Countermeasures. In: International Symposium on Secure Software Engineering (2006)

  46. Antunes, N., Vieira, M.: Vulnerability Testing Tools for Web Services. http://eden.dei.uc.pt/~mvieira/ (2013)

  47. Sabhnani, M., Serpen, G.: Why Machine Learning Algorithms Fail in Misuse Detection on KDD Intrusion Detection Data Set. Intelligent Data Analysis 8(4), 403–415 (2004)

  48. Kiczales, G.J., et al.: Aspect-oriented programming. US Patent 6,467,086 (2002)

  49. Reese, G., Oram, A.: Database Programming with JDBC and JAVA. O’Reilly & Associates, Inc., Sebastopol (2000)

    Google Scholar 

  50. Transaction Processing Performance Council. Transaction processing performance council. http://www.tpc.org/ (2009)

Download references

Acknowledgments

This work has been partially supported by the project CErtification of CRItical Systems (www.cecris-project.eu, CECRIS), Marie Curie Industry-Academia Partnerships and Pathways (IAPP) number 324334, within the context of the EU Seventh Framework Programme (FP7).

Author information

Authors and Affiliations

  1. Department of Informatics Engineering, University of Coimbra, Polo II - Pinhal de Marrocos, 3030-290, Coimbra, Portugal

    Nuno Antunes & Marco Vieira

Authors
  1. Nuno Antunes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marco Vieira
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nuno Antunes.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Antunes, N., Vieira, M. Designing vulnerability testing tools for web services: approach, components, and tools. Int. J. Inf. Secur. 16, 435–457 (2017). https://doi.org/10.1007/s10207-016-0334-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-016-0334-0

Keywords

Search

Navigation