Skip to main content
SpringerLink
Log in

A survey of attacks on web services

Classification and countermeasures

  • Special Issue Paper
  • Published:
Computer Science - Research and Development

Abstract

Being regarded as the new paradigm for Internet communication, Web Services have introduced a large number of new standards and technologies. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. Along with their severe impact, most of these attacks can be performed with minimum effort from the attacker’s side.

This article gives a survey of vulnerabilities in the context of Web Services. As a proof of the practical relevance of the threats, exemplary attacks on widespread Web Service implementations were performed. Further, general countermeasures for prevention and mitigation of such attacks are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Andrews T, Curbera F, Dholakia H, Goland Y, Klein J, Leymann F, Liu K, Roller D, Smith D, Thatte S, Trickovic I, Weerawarana S (2003) Business Process Execution Language for Web Services Version 1.1. Oasis Standard

  2. Bartel M, Boyer J, Fox B, LaMacchia B, Simon E (2002) XML-Signature Syntax and Processing. W3C Recommendation

  3. Bhargavan K, Fournet C, Gordon AD, O’Shea G (2005) An advisor for Web Services security policies. In: SWS ’05: Proceedings of the 2005 workshop on Secure web services, ACM Press, New York, NY, pp 1–9

  4. Fernando R (2006) Secure web services with apache rampart. Tech rep, WSO2 Oxygen Tank

  5. Gruschka N (2008) Schutz von Web Services durch erweiterte und effiziente Nachrichtenvalidierung. PhD thesis, Christian-Albrechts-University of Kiel, Germany

  6. Gruschka N, Herkenhöner R (2006) WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls. In: Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation

  7. Gruschka N, Luttenberger N (2006) Protecting Web Services from DoS Attacks by SOAP Message Validation. In: Proceedings of the IFIP TC-11 21. International Information Security Conference (SEC 2006)

  8. Gruschka N, Luttenberger N, Herkenhöner R (2006) Event-based SOAP message validation for WS-SecurityPolicy-Enriched web services. In: Proceedings of the 2006 International Conference on Semantic Web & Web Services

  9. Gruschka N, Herkenhöner R, Luttenberger N (2007a) Access Control Enforcement for Web Services by Event-Based Security Token Processing. In: Braun T, Carle G, Stiller B (eds) 15. ITG/Gi Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007), pp 371–382

  10. Gruschka N, Jensen M, Luttenberger N (2007b) A Stateful Web Service Firewall for BPEL. Proceedings of the IEEE International Conference on Web Services (ICWS 2007)

  11. Gudgin M, Hadley M, Rogers T (2006) Web Services Addressing 1.0 – SOAP Binding. W3C Recommendation

  12. Hors AL, Hegaret PL, Wood L, Nicol G, Robie J, Champion M, Byrne S (2004) Document Object Model (DOM) Level 3 Core Specification. W3C Recommendation

  13. Imamura T, Dillaway B, Simon E (2002) XML Encryption Syntax and Processing. W3C Recommendation

  14. Jayasinghe D (2006) SOA development with Axis2: Understanding Axis2 basis. IBM developerWorks

  15. Jensen M (2008) BPEL Firewall – Abwehr von Angriffen auf zustandsbehaftete Web Services (german). VDM Verlag Dr. Müller, Saarbrücken, ISBN 9783836485517

  16. Jensen M, Gruschka N, Luttenberger N (2008) The Impact of Flooding Attacks on Network-based Services. In: Proceedings of the IEEE International Conference on Availability, Reliability and Security

  17. Kaler C, Nadalin A (eds) (2005) Web Services Security Policy Language (WS-SecurityPolicy) 1.1

  18. Leiwo J, Nikander P, Aura T (2000) Towards network denial of service resistant protocols. In: Proc. of the 15th International Information Security Conference (IFIP/SEC)

  19. Lindstrom P (2004) Attacking and Defending Web Service. A Spire Research Report

  20. McIntosh M, Austel P (2005) XML signature element wrapping attacks and countermeasures. In: SWS ’05: Proceedings of the 2005 workshop on Secure web services, ACM Press, New York, NY, pp 20–27

  21. Nadalin A, Kaler C, Monzillo R, Hallam-Baker P (2006) Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)

  22. Needham RM (1994) Denial of service: an example. Commun ACM 37(11):42–46

    Article  Google Scholar 

  23. Noga ML, Schott S, Löwe W (2002) Lazy XML processing. In: DocEng ’02: Proceedings of the 2002 ACM symposium on document engineering. ACM Press, New York, NY, pp 88–94

    Chapter  Google Scholar 

  24. Schäfer G (2005) Sabotageangriffe auf Kommunikationsstrukturen: Angriffstechniken und Abwehrmaßnahmen. PIK 28:130–139

    Article  Google Scholar 

  25. Smith A (2007) Under Attack, Over the Net. Time Magazine http://www.time.com/time/magazine/article/0,9171,1626744,00.html. Accessed 29 Apr 2009

  26. The SAX Project (2002) Simple API for XML–SAX 2.0.1 http://www.saxproject.org. Accessed 29 Apr 2009

  27. Weerawarana S, Curbera F, Leymann F, Storey T, Ferguson DF (2005) Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More. Prentice Hall PTR, Upper Saddle River

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Universitätsstr. 150, IC4/150, 44780, Bochum, Germany

    Meiko Jensen

  2. NEC Laboratories Europe, IT Research Division, NEC Europe Ltd., St. Augustin, Germany

    Nils Gruschka

  3. Institute for IT-Security and Security Law, University Passau, Passau, Germany

    Ralph Herkenhöner

Authors
  1. Meiko Jensen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nils Gruschka
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ralph Herkenhöner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Meiko Jensen.

Additional information

This work was done while the authors were at the Department for Computer Science, University of Kiel, Germany.

CR subject classification

C.2 ; C.4 ; H.3.5 ; K.6.5

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jensen, M., Gruschka, N. & Herkenhöner, R. A survey of attacks on web services . Comp. Sci. Res. Dev. 24, 185–197 (2009). https://doi.org/10.1007/s00450-009-0092-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00450-009-0092-6

Keywords

Search

Navigation