ABSTRACT
The pervasiveness of Web Services, compounded with seamless interoperability characteristics, introduces security concerns that are to be carefully considered with the envisioned internet architecture. In this paper, we propose a comprehensive study on Web Service vulnerabilities. We consider not only well known Web-based vulnerabilities such as SQL injection, session replay etc, but we also analyze Web-Service specific vulnerabilities and their potential of attacks due to poor service construction and service maintenance. In our analysis, we classify each of the studied vulnerability according to a new taxonomy, discuss remedies and impact, and propose methods of detection based on real-time analysis. Our analysis is supported by the results of a large scale study involving over 2,000 real-world Web Services. We note that many of the least studied vulnerabilities are present in the wild.
- Acunetix web application security. http://www.acunetix.com/.Google Scholar
- Al-Masri E. and Mahmoud, H. Web service data set. http://www.uoguelph.ca/qmahmoud/qws/dataset/.Google Scholar
- N. Antunes and M. Vieira. Evaluating and improving penetration testing in web services. In IEEE 23rd International Symposium on Software Reliability Engineering (ISSRE), pages 201--210, 2012.Google ScholarDigital Library
- T. Aslam. A taxonomy of security faults in the unix operating system. PhD thesis, Purdue University, 1995.Google Scholar
- C. V. Berghe, J. Riordan, and F. Piessens. A vulnerability taxonomy methodology applied to web services, 2005.Google Scholar
- E. Bertino, L. Martino, F. Paci, and A. Squicciarini. Security for Web Services and Service-Oriented Architectures. Springer, 2009. Google ScholarDigital Library
- M. B. Brahim, T. Chaari, M. B. Jemaa, and M. Jmaiel. Semantic matching of ws-securitypolicy assertions. In Service-Oriented Computing-ICSOC 2011 Workshops, pages 114--130. Springer, 2012. Google ScholarDigital Library
- B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password interception in a ssl/tls channel. In D. Boneh, editor, Advances in Cryptology - CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 583--599. Springer Berlin Heidelberg, 2003.Google Scholar
- Y. Demchenko, L. Gommans, C. De Laat, and B. Oudenaarde. Web services and grid security vulnerabilities and threats analysis and model. In The 6th IEEE/ACM International Workshop on Grid Computing, 2005. Google ScholarDigital Library
- W. G. Halfond, J. Viegas, and A. Orso. A classification of SQL-Injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, March 2006.Google Scholar
- J. Holgersson and E. Soderstrom. Web service security - vulnerabilities and threats within the context of ws-security. In Standardization and Innovation in Information Technology, 2005. The 4th Conference on, pages 138--146, 2005.Google ScholarCross Ref
- Microsoft. STRIDE Categories. http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx.Google Scholar
- Microsoft. Vulnerability categories. http://msdn.microsoft.com/en-us/library/aa302418.aspx.Google Scholar
- A. Mirtalebi and M. R. Khayyambashi. Enhancing security of Web service against WSDL threats. In IEEE International Conference on Emergency Management and Management Sciences, 2011.Google ScholarCross Ref
- E. Moradian and A. Hakansson. Possible attacks on xml web services. In International Journal of Computer Science and Network Security, Vol. 6 No. 1B, January 2006.Google Scholar
- OASIS: WS-Security 1.1. http://www.oasis-open.org/specs/.Google Scholar
- Object Management Group. Corba. http://www.corba.org.Google Scholar
- Oracle. Rmi. http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136424.html.Google Scholar
- N. Sidharth and J. Liu. Intrusion resistant soap messaging with iapf. In Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference, APSCC '08, pages 856--862, Washington, DC, USA, 2008. IEEE Computer Society. Google ScholarDigital Library
- G. G. Simpson. Principles of animal taxonomy, volume 20. Columbia University Press, 1961.Google Scholar
- M. Vieira, N. Antunes, and H. Madeira. Using web security scanners to detect vulnerabilities in web services. In Dependable Systems Networks, 2009. DSN '09. IEEE/IFIP International Conference on, pages 566--571, 2009.Google ScholarCross Ref
- W. Wang. Security based heuristic sax for xml parsing. In Security and Management, pages 179--185, 2007.Google Scholar
- S. Weber, P. A. Karger, and A. Paradkar. A software flaw taxonomy: aiming tools at security. In ACM SIGSOFT Software Engineering Notes, volume 30, pages 1--7. ACM, 2005. Google ScholarDigital Library
Index Terms
- In the wild: a large scale study of web services vulnerabilities
Recommendations
Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityDeep neural networks and machine-learning algorithms are pervasively used in several applications, ranging from computer vision to computer security. In most of these applications, the learning algorithm has to face intelligent and adaptive attackers ...
Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs
Detection of Intrusions and Malware, and Vulnerability AssessmentAbstractDistributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3 Tbps against GitHub, was a memcached-based DRDoS attack. More recently, ...
EARs in the wild: large-scale analysis of execution after redirect vulnerabilities
SAC '13: Proceedings of the 28th Annual ACM Symposium on Applied ComputingExecution After Redirect vulnerabilities---logic flaws in web applications where unintended code is executed after a redirect---have received little attention from the research community. In fact, we found a research paper that incorrectly modeled the ...
Comments