skip to main content
10.1145/1967486.1967519acmotherconferencesArticle/Chapter ViewAbstractPublication PagesiiwasConference Proceedingsconference-collections
research-article

Experimental analysis of attacks against web services and countermeasures

Published: 08 November 2010 Publication History

Abstract

Web services are increasingly becoming an integral part of next-generation web applications. A Web service is defined as a software system designed to support interoperable machine-to-machine interaction over a network based on a set of XML standards. This new architecture and set of protocols brings new security challenges such as confidentiality, integrity, anonymity, authentication, authorization and availability of requested services. Vulnerabilities in Web services are very dangerous since they can be used by attackers to damage the company's information system and steal confidential data.
In this paper, we carry out an experimental analysis of attacks against Web services. We demonstrate experimentally three types of attacks and we reveal dangerous techniques and tools used by attackers that administrators have to prevent. Moreover, we study the effects of these attacks by observing their impact on Information System data and resources. Finally, we propose general countermeasures to prevent and mitigate such attacks.

References

[1]
Belapurkar, A., Chakrabarti, A., Ponnapalli, H., Varadarajan, N., Padmanabhuni, S., and Sundarrajan, S. 2009. Distributed Systems Security: Issues, Processes and Solutions. Published 2009 by John Wiley & Sons.
[2]
Brinhosa, R. B., Westphall, C. B., and Westphall, C. M. 2008. A Security Framework for Input Validation. In Proceedings of the 2008 Second international Conference on Emerging Security information, Systems and Technologies (August 25--31, 2008). SECURWARE. IEEE Computer Society, Washington, DC, 88--92. DOI=http://dx.doi.org/10.1109/SECURWARE.2008.67
[3]
Cerrudo, C. 2003. Manipulating microsoft sql server using sql injection. Technical report, Application Security.
[4]
Gruschka, N., and Luttenberger, N. 2006. Protecting Web Services From DoS Attacks by SOAP Message Validation. IFIP International Federation for Information Processing, Vol. 201, Springer, 2006, pp. 171--182.
[5]
Hill, B. W. 2007. Command Injection in XML Signatures and Encryption. http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf
[6]
Jensen, M., Gruschka, N., Herkenhoner, R., and Luttenberger, N. 2007. SOA and Web Services: New Technologies, New Standards - New Attacks. In Proceedings of the Fifth European Conference on Web Services (November 26--28, 2007). ECOWS. IEEE Computer Society, Washington, DC, 35--44. DOI=http://dx.doi.org/10.1109/ECOWS.2007.24
[7]
McIntosh, M. and Austel, P. 2005. XML signature element wrapping attacks and countermeasures. In Proceedings of the 2005 Workshop on Secure Web Services (Fairfax, VA, USA, November 11--11, 2005). SWS '05. ACM, New York, NY, 20--27. DOI= http://doi.acm.org/10.1145/1103022.1103026
[8]
Moradian, E., and Hakansson, A. 2006. Possible attacks on XML Web Services. IJCSNS (International Journal of Computer Science and Network Security), vol. 6 No. 1B, January 2006.
[9]
Nordbotten, N. A. 2009. XML and Web Services Security Standards," IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 11, NO. 3, THIRD QUARTER 2009, 17--18.
[10]
Rahaman, M. A., Schaad, A., and Rits, M. 2006. Towards secure SOAP message exchange in a SOA. In Proceedings of the 3rd ACM Workshop on Secure Web Services (Alexandria, Virginia, USA, November 03--03, 2006). SWS '06. ACM, New York, NY, 77--84. DOI= http://doi.acm.org/10.1145/1180367.1180382
[11]
Shreeraj Shah. 2005. Securing Web Services with ModSecurity http://www.modsecurity.org/documentation/Securing_Web_Services_with_ModSecurity_2.0.pdf
[12]
White Paper: XML Threats and Web Services Vulnerabilities: Understanding Risk and Protection. From Layer 7 Technologies, 2005.
[13]
Microsoft Corporation. 2006. Improving Web Application Security Threats and countermeasures. http://msdn.microsoft.com/en-us/library/aa302418
[14]
Anatomy of a Web Services Attack: A Guide to Threats and Preventative Countermeasures - Forum Systems, Inc., March 1, 2004 - http://www.bitpipe.com/detail/RES/1084293354_294.html
[15]
Arnaud Le Hors et al. 2004. Document Object Model (DOM) Level 3 Core Specification. W3C Recommendation.
[16]
The Open Web Application Security Project (OWASP) http://www.owasp.org
[17]
The SAX Project. Simple API for XML -- SAX 2.0.1. http://www.saxproject.org/
[18]
Web Services Glossary, http://www.w3.org/TR/ws-gloss/
[19]
soapUI. http://www.soapui.org
[20]
Wireshark. http://www.wireshark.org/
[21]
Apache Axis2. http://ws.apache.org/axis2/
[22]
Apache Rampart - Axis2 Security Module. http://ws.apache.org/rampart/
[23]
ModSecurity: Open Source Web Application Firewall, http://www.modsecurity.org/

Cited By

View all
  • (2015)A method for intrusion detection in web services based on time series2015 IEEE 28th Canadian Conference on Electrical and Computer Engineering (CCECE)10.1109/CCECE.2015.7129383(836-841)Online publication date: May-2015
  • (2014)Characterization of attacks collected from the deployment of Web service honeypotSecurity and Communication Networks10.1002/sec.7377:2(338-351)Online publication date: 1-Feb-2014
  • (2013)Automatic Analysis of Web Service Honeypot Data Using Machine Learning TechniquesInternational Joint Conference CISIS’12-ICEUTE´12-SOCO´12 Special Sessions10.1007/978-3-642-33018-6_1(1-11)Online publication date: 2013
  • Show More Cited By

Index Terms

  1. Experimental analysis of attacks against web services and countermeasures
            Index terms have been assigned to the content through auto-classification.

            Recommendations

            Comments

            Information & Contributors

            Information

            Published In

            cover image ACM Other conferences
            iiWAS '10: Proceedings of the 12th International Conference on Information Integration and Web-based Applications & Services
            November 2010
            895 pages
            ISBN:9781450304214
            DOI:10.1145/1967486
            Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

            Sponsors

            • IIWAS: International Organization for Information Integration
            • Web-b: Web-b

            In-Cooperation

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            Published: 08 November 2010

            Permissions

            Request permissions for this article.

            Check for updates

            Author Tags

            1. DoS attack
            2. command injection
            3. session hijacking
            4. web services attacks
            5. web services security

            Qualifiers

            • Research-article

            Conference

            iiWAS '10
            Sponsor:
            • IIWAS
            • Web-b

            Contributors

            Other Metrics

            Bibliometrics & Citations

            Bibliometrics

            Article Metrics

            • Downloads (Last 12 months)1
            • Downloads (Last 6 weeks)0
            Reflects downloads up to 13 Feb 2025

            Other Metrics

            Citations

            Cited By

            View all
            • (2015)A method for intrusion detection in web services based on time series2015 IEEE 28th Canadian Conference on Electrical and Computer Engineering (CCECE)10.1109/CCECE.2015.7129383(836-841)Online publication date: May-2015
            • (2014)Characterization of attacks collected from the deployment of Web service honeypotSecurity and Communication Networks10.1002/sec.7377:2(338-351)Online publication date: 1-Feb-2014
            • (2013)Automatic Analysis of Web Service Honeypot Data Using Machine Learning TechniquesInternational Joint Conference CISIS’12-ICEUTE´12-SOCO´12 Special Sessions10.1007/978-3-642-33018-6_1(1-11)Online publication date: 2013
            • (2012)A Metamodel for Web Application Injection Attacks and CountermeasuresTrends in Enterprise Architecture Research and Practice-Driven Research on Enterprise Transformation10.1007/978-3-642-34163-2_12(198-217)Online publication date: 2012

            View Options

            Login options

            View options

            PDF

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader

            Figures

            Tables

            Media

            Share

            Share

            Share this Publication link

            Share on social media