Infiltrate Testing Tool for Web Services Security

For distributed computing solutions Web Services are widely used. Web Services technology is used to integrate existing homogenous or heterogeneous enterprise applications. It can also be used to build inter-operable components that can be reused by many applications irrespective of the platforms in which they are built. Service Oriented Architecture (SOA) is being used for such distributed applications. This architecture enables integration of many services and allows access through a single interface. As this technology is widely used many extension specifications came into existences which were developed by W3C. This has caused the rise in attacks on web services applications. The attacks include denial of service attacks to various other attacks that break security of the systems. Web application developers generally test their applications for security using penetration testing tools. However, for applications built using Web Services technology no such penetration testing tools are available. Mainka et al. developed a penetration testing tool by name WSAttacker which is plug-in based. They have implemented only two plugins namely SOAPAction Spoofing and WS-Address Spoofing. In this paper we improve the tool by implementing plugins for two more attacks namely Oversize Payload Attack, Oversized Encryption Attack. The WSAttacker is meant for testing web services applications for security. The empirical results revealed that the proposed plugins are effective and they could enhance the use of the tool.

[1]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[2]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[3]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[4]  Mark O'Neill,et al.  Web Services Security , 2003 .

[5]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[6]  Tibor Jager,et al.  How to break XML encryption , 2011, CCS '11.

[7]  C. M. Sperberg-McQueen,et al.  W3C XML Schema Definition Language (XSD) 1.1 Part 1: Structures , 2012 .

[8]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[9]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[10]  Jörg Schwenk,et al.  Penetration Testing Tool for Web Services Security , 2012, 2012 IEEE Eighth World Congress on Services.

[11]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[12]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[13]  Roberto Chinnici,et al.  Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language , 2007 .

[14]  Jörg Schwenk,et al.  Technical Analysis of Countermeasures against Attack on XML Encryption -- or -- Just Another Motivation for Authenticated Encryption , 2012, 2012 IEEE Eighth World Congress on Services.

[15]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.