A Black-Box Approach to Detect Vulnerabilities in Web Services Using Penetration Testing

Web services work over dynamic connections among distributed systems. This technology was specifically designed to easily pass SOAP message through firewalls using open ports. These benefits involve a number of security challenges, such as Injection Attacks, phishing, Denial-of-Services (DoS) attacks, and so on. The difficulty to detect vulnerabilities,before they are exploited, encourages developers to use security testing like penetration testing to reduce the potential attacks. Given a black-box approach, this research use the penetration testing to emulate a series of attacks, such as Cross-site Scripting (XSS), Fuzzing Scan, Invalid Types, Malformed XML, SQL Injection, XPath Injection and XML Bomb. In this way, was used the soapUI vulnerability scanner in order to emulate these attacks and insert malicious scripts in the requests of the web services tested. Furthermore, was developed a set of rules to analyze the responses in order to reduce false positives and negatives. The results suggest that 97.1% of web services have at least one vulnerability of these attacks. We also determined a ranking of these attacks against web services.

[1]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[2]  Marco Vieira,et al.  Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[3]  Marco Vieira,et al.  Engineering Secure Web Services , 2012 .

[4]  Wei-Chuen Yau,et al.  Design and Implementation of an XML Firewall , 2006, 2006 International Conference on Computational Intelligence and Security.

[5]  Jörg Schwenk,et al.  Penetration Testing Tool for Web Services Security , 2012, 2012 IEEE Eighth World Congress on Services.

[6]  Jesper Holgersson,et al.  Web service security - vulnerabilities and threats within the context of WS-security , 2005, The 4th Conference on Standardization and Innovation in Information Technology, 2005..

[7]  Sara Bouchenak,et al.  Performance, Availability and Cost of Self-Adaptive Internet Services Chapter of Performance and Dependability in Service Computing: Concepts, Techniques and Research Directions , 2011 .

[8]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[9]  R. W. Scherer,et al.  A Middleware Architecture for Wireless Sensor Networks Using Secure Web Services , 2011, IEEE Latin America Transactions.

[10]  Mohamad Ibrahim Ladan Web services: Security challenges , 2011, 2011 World Congress on Internet Security (WorldCIS-2011).

[11]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.