Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security

Due to its distributed and open nature, Web Services give rise to new security challenges. This technology is susceptible to Cross-site Scripting (XSS) attack, which takes advantage of existing vulnerabilities. The proposed approach makes use of two Security Testing techniques, namely Penetration Testing and Fault Injection, in order to emulate XSS attack against Web Services. This technology, combined with WS-Security (WSS) and Security Tokens, can identify the sender and guarantee the legitimate access control to the SOAP messages exchanged. We use the vulnerability scanner soapUI that is one of the most recognized tools of Penetration Testing. In contrast, WSInject is a new fault injection tool, which introduces faults or errors on Web Services to analyze the behavior in an environment not robust. The results show that the use of WSInject, in comparison to soapUI, improves the detection of vulnerability allows to emulate XSS attack and generates new types of them.

[1]  Marco Vieira,et al.  Engineering Secure Web Services , 2012 .

[2]  Andre Willik Valenti,et al.  Testes de robustez em web services por meio de injeção de falhas , 2011 .

[3]  Hua Chen,et al.  An Heuristic Method for Web-Service Program Security Testing , 2009, 2009 Fourth ChinaGrid Annual Conference.

[4]  Jia Zhang,et al.  A Mobile Agent-Supported Web Services Testing Platform , 2008, 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[5]  Donald E. Eastlake,et al.  XML-Signature Syntax and Processing , 2001, RFC.

[6]  Mohamad Ibrahim Ladan Web services: Security challenges , 2011, 2011 World Congress on Internet Security (WorldCIS-2011).

[7]  Raul Garcia Case study: experiences on SQL language fuzz testing , 2009, DBTest '09.

[8]  Maria Grazia Fugini,et al.  Quality analysis of composed services through fault injection , 2009, Inf. Syst. Frontiers.

[9]  Eda Marchetti,et al.  WS-TAXI: A WSDL-based Testing Tool for Web Services , 2009, 2009 International Conference on Software Testing Verification and Validation.

[10]  Lei Zhou,et al.  Automatically Testing Web Services Choreography with Assertions , 2010, ICFEM.

[11]  Scott Baum Security in a Web Services World: A Proposed Architec - ture and Roadmap , 2002 .

[12]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[13]  Nuno Laranjeiro,et al.  Testing Web Services for Robustness : A Tool Demo , 2009 .

[14]  Ana Cristina Vieira de Melo,et al.  Improving data perturbation testing techniques for Web services , 2011, Inf. Sci..

[15]  Diamantino Costa,et al.  Fault injection spot-checks computer system dependability , 1999 .

[16]  Eliane Martins,et al.  WSInject : A Fault Injection Tool for Web Services Technical Report 1 . 0 , 2010 .

[17]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[18]  Jesper Holgersson,et al.  Web service security - vulnerabilities and threats within the context of WS-security , 2005, The 4th Conference on Standardization and Innovation in Information Technology, 2005..

[19]  Ana R. Cavalli,et al.  Security Protocol Testing Using Attack Trees , 2009, 2009 International Conference on Computational Science and Engineering.

[20]  Anderson Morais,et al.  Injeção de ataques baseado em modelo para teste de protocolos de segurança , 2009 .

[21]  Sung Deok Cha,et al.  Web server attack categorization based on root causes and their locations , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[22]  Marco Vieira,et al.  Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[23]  Nuno Laranjeiro,et al.  wsrbench: An On-Line Tool for Robustness Benchmarking , 2008, 2008 IEEE International Conference on Services Computing.

[24]  Etsuya Shibayama,et al.  Idea: Automatic Security Testing for Web Applications , 2009, ESSoS.

[25]  Mark O'Neill,et al.  Web Services Security , 2003 .

[26]  Anderson Morais,et al.  Generating attack scenarios for the validation of security protocol implementations , 2008 .

[27]  Kathryn McArtney Web Services Security: UsernameToken Profile 1.0 , 2015 .

[28]  Tien-Dung Cao,et al.  Automated Runtime Verification for Web Services , 2010, 2010 IEEE International Conference on Web Services.

[29]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[30]  Gerardo Canfora,et al.  Service-Oriented Architectures Testing: A Survey , 2009, ISSSE.

[31]  Maria Grazia Fugini,et al.  Quality Analysis of Composed Services through Fault Injection , 2007, Business Process Management Workshops.