Abstract
This paper proposes a generic approach for designing vulnerability testing tools for web services, which includes the definition of the testing procedure and the tool components. Based on the proposed approach, we present the design of three innovative testing tools that implement three complementary techniques (improved penetration testing, attack signatures and interface monitoring, and runtime anomaly detection) for detecting injection vulnerabilities, thus offering an extensive support for different scenarios. A case study has been designed to demonstrate the tools for the particular case of SQL Injection vulnerabilities. The experimental evaluation demonstrates that the tools can effectively be used in different scenarios and that they outperform well-known commercial tools by achieving higher detection coverage and lower false-positive rates.
Similar content being viewed by others
References
Alonso, G.: Web Services: Concepts, Architectures and Applications. Springer Verlag, Berlin (2004)
Christey, S., Martin, R.A.: Vulnerability type distributions in CVE, V1. 0 10, 04 (2006)
Zanero, S., Carettoni, L., Zanchetta, M.: Automatic Detection of Web Application Security Flaws, Black Hat Briefings (2005)
Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: IEEE/IFIP International Conference on Dependable Systems & Networks, DSN’09. (Estoril, Lisbon, Portugal, 2009), pp. 566–571 (2009). doi:10.1109/DSN.2009.5270294
Council, T.P.P.: TPC BenchmarkTM App (application server) Standard Specification, Version 1.3. http://www.tpc.org/tpc_app/ (2008)
Meier, W.: Web, Web-Services, and Database Systems. In: Chaudhri, A.B., Jeckle, M., Rahm, E., Unland, R. (ed.) No. 2593 in Lecture Notes in Computer Science, pp. 169–183. Springer, Berlin Heidelberg (2003)
Fonseca, J., Vieira, M., Madeira, H.: Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007) (Melbourne, Australia, 2007), pp. 365–372 (2007). doi:10.1109/PRDC.2007.55
Antunes, N., Vieira, M.: Benchmarking Vulnerability Detection Tools for Web Services. In: IEEE Eighth International Conference on Web Services (ICWS 2010) (Miami, Florida, 2010), pp. 203–210 (2010). doi:10.1109/ICWS.2010.76
Antunes, N., Vieira, M.: Detecting SQL Injection Vulnerabilities in Web Services. In: Fourth Latin-American Symposium on Dependable Computing 2009 (LADC ’09), pp. 17–24. IEEE Computer Society, Joao Pessoa, Brazil (2009). doi:10.1109/LADC.2009.21
Antunes, N., Vieira, M.: Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services. In: 2011 IEEE International Conference on Services Computing (SCC) (IEEE, 2011), pp. 104–111 (2011). doi:10.1109/SCC.2011.67
Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services. In: 2009 IEEE International Conference on Services Computing (SCC 2009) (Bangalore, India, 2009), pp. 260–267 (2009). doi:10.1109/SCC.2009.23
Chappell, D.A., Jewell, T.: Java Web Services. O’Reilly & Associates Inc, Sebastopol (2002)
Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Service Definition Language (WSDL) 1.1. http://www.w3.org/TR/wsdl (2001)
Richardson, L., Ruby, S.: RESTful Web Services. O’Reilly Media, Inc, Sebastopol (2007)
OWASP Foundation, OWASP top 10 2013. Tech. rep., Open Web Application Security Project (2013)
Foundation, O.: Open Web Application Security Project. http://www.owasp.org/ (2001)
Acunetix. 70 % of Websites at Immediate Risk of Being Hacked! http://www.acunetix.com/news/security-audit-results.htm (2007)
NTA Monitor, Annual Web Application Security Report. Tech. rep. (2011)
Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, Hoboken (2007)
Fogie, S., et al.: XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing, Burlington (2007)
Jensen, M., Gruschka, N., Herkenhoner, R., Luttenberger, N.: SOA and Web Services: New Technologies, New Standards—New Attacks. In: Fifth European Conference on Web Services. ECOWS ’07, pp. 35–44 (2007)
OWASP Testing Project: Testing for web services—OWASP testing guide v3. Tech. rep, Open Web Application Security Project (2008)
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-box Web Application Vulnerability Testing. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 332–345 (2010)
I.C.S.S.S.E.S. Committee, 1012-2012—IEEE Standard for System and Software Verification and Validation, IEEE standard 1012-2012 edn. (IEEE Computer Society)
Myers, G.J., Sandler, C., Badgett, T.: The Art of Software Testing. Wiley, Hoboken (2011)
HP. HP WebInspect. https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200 (2008)
IBM. IBM Rational AppScan. http://www-01.ibm.com/software/awdtools/appscan/ (2008)
Acunetix. Acunetix Web Vulnerability Scanner. http://www.acunetix.com/vulnerability-scanner/ (2008)
I. Foundstone. Foundstone WSDigger. http://www.foundstone.com/us/resources/proddesc/wsdigger.htm (2005)
OWASP Foundation. OWASP WSFuzzer Project. http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project (2008)
Huang, Y., Huang, S., Lin, T., Tsai, C.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. In: Proceedings of the 12th International Conference on World Wide Web (ACM, Budapest, Hungary, 2003), pp. 148–159 (2003)
Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: Proceedings of the 15th International Conference on World Wide Web (ACM, New York, NY, 2006), p. 247256 (2006). doi:10.1145/1135777.1135817
Doup, A., Cova, M., Vigna, G.: In: Detection of Intrusions and Malware, and Vulnerability Assessment. no. 6201 in Lecture Notes in Computer Science (Springer Berlin Heidelberg, 2010), pp. 111–131 (2010)
Doliner, M.: Cobertura. http://cobertura.sourceforge.net/ (2006)
Atlassian. Clover—Code Coverage for Java. http://www.atlassian.com/software/clover/ (2010)
Balzarotti, D., et al.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Symposium on Security and Privacy. SP 2008, 66, pp. 387–401 (2008). doi:10.1109/SP.2008.22
Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications, In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’06, 41 (ACM, New York, NY, 2006), POPL ’06, p. 372382 (2006). doi:10.1145/1111037.1111070
Halfond, W., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, p. 183 (2005)
Laranjeiro, N., Vieira, M., Madeira, H.: A Technique for Deploying Robust Web Services. IEEE Transactions on Services Computing PP(99), 1 (2012). doi:10.1109/TSC.2012.39
Kaner, C.: Software Negligence and Testing Coverage. In: Proceedings of STAR 96: The Fifth International Conference on Software Testing Analysis and Review (Orlando, FL, 1996), pp. 299–327 (1996)
Kindy, D., Pathan, A.S.: A Survey on SQL Injection: Vulnerabilities, Attacks, and Prevention Techniques. In: 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), pp. 468–471 (2011). doi:10.1109/ISCE.2011.5973873
Vieira, M., Laranjeiro, N., Madeira, H.: Assessing Robustness of Web-services Infrastructures. In: 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN’07, pp. 131–136 (2007)
eviware. soapUI. http://www.soapui.org/ (2008)
Shema, M.: Seven Deadliest Web Application Attacks. Syngress, Burlington (2010)
Halfond, W.G., Viegas, J., Orso, A.: A Classification of SQL-injection Attacks and Countermeasures. In: International Symposium on Secure Software Engineering (2006)
Antunes, N., Vieira, M.: Vulnerability Testing Tools for Web Services. http://eden.dei.uc.pt/~mvieira/ (2013)
Sabhnani, M., Serpen, G.: Why Machine Learning Algorithms Fail in Misuse Detection on KDD Intrusion Detection Data Set. Intelligent Data Analysis 8(4), 403–415 (2004)
Kiczales, G.J., et al.: Aspect-oriented programming. US Patent 6,467,086 (2002)
Reese, G., Oram, A.: Database Programming with JDBC and JAVA. O’Reilly & Associates, Inc., Sebastopol (2000)
Transaction Processing Performance Council. Transaction processing performance council. http://www.tpc.org/ (2009)
Acknowledgments
This work has been partially supported by the project CErtification of CRItical Systems (www.cecris-project.eu, CECRIS), Marie Curie Industry-Academia Partnerships and Pathways (IAPP) number 324334, within the context of the EU Seventh Framework Programme (FP7).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Antunes, N., Vieira, M. Designing vulnerability testing tools for web services: approach, components, and tools. Int. J. Inf. Secur. 16, 435–457 (2017). https://doi.org/10.1007/s10207-016-0334-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-016-0334-0