A survey and classification of XML based attacks on web applications

ABSTRACT XML based attacks are executed in web applications through crafted XML document that forces XML parser to process un-validated documents. This leads to disclosure of sensitive information, malicious code execution and disruption of services. OWASP has included XML based attacks at number four in its top 10 list of vulnerabilities published in 2017. Most of the vulnerabilities reported using the XML document range from high to critical and require to be addressed immediately. As per the National Vulnerability Database, 152 vulnerabilities have already been reported in the first five months of the year 2019. A varied number of XML vulnerabilities and their classification exist but are limited to a specific vulnerability. In this paper, the authors have proposed a classification of XML based vulnerabilities based on exhaustive literature survey. The approach/strategies to mitigate these vulnerabilities are also presented. The work will help the web developers for proposing secure parsers that will thwart such attacks.

[1]  Azzedine Benameur,et al.  A formal solution to rewriting attacks on SOAP messages , 2008, SWS '08.

[2]  Alwyn Roshan Pais,et al.  Attacks on Web Services and mitigation schemes , 2010, 2010 International Conference on Security and Cryptography (SECRYPT).

[3]  Annibale Panichella,et al.  Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications , 2019, IEEE Transactions on Software Engineering.

[4]  Massimiliano Rak,et al.  Stealthy Denial of Service Strategy in Cloud Computing , 2015, IEEE Transactions on Cloud Computing.

[5]  Hossain Shahriar,et al.  Towards an Attack Signature Generation Framework for Intrusion Detection Systems , 2017, 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[6]  William K. Robertson,et al.  Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[7]  Nuno Laranjeiro,et al.  Experimental Evaluation of Web Service Frameworks in the Presence of Security Attacks , 2012, 2012 IEEE Ninth International Conference on Services Computing.

[8]  Jörg Schwenk,et al.  Making XML Signatures Immune to XML Signature Wrapping Attacks , 2012, CLOSER.

[9]  Rossilawati Sulaiman,et al.  Protection of XML-based denail-of-service and httpflooding attacks in web services using the middleware tool , 2018 .

[10]  Mohammad Masdari,et al.  A survey and taxonomy of DoS attacks in cloud computing , 2016, Secur. Commun. Networks.

[11]  Gajendra Deshpande,et al.  Modeling and Mitigation of XPath Injection Attacks for Web Services Using Modular Neural Networks , 2018, Advances in Intelligent Systems and Computing.

[12]  Nils Gruschka,et al.  Server-Side Streaming Processing of WS-Security , 2011, IEEE Transactions on Services Computing.

[13]  Jörg Schwenk,et al.  A New Approach towards DoS Penetration Testing on Web Services , 2013, 2013 IEEE 20th International Conference on Web Services.

[14]  Jörg Schwenk,et al.  SoK: XML Parser Vulnerabilities , 2016, WOOT.

[15]  Massimiliano Rak,et al.  Intrusion Tolerance of Stealth DoS Attacks to Web Services , 2012, SEC.

[16]  Hossain Shahriar,et al.  Web service injection attack detection , 2017, 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST).

[17]  Altair Olivo Santin,et al.  Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems , 2013, IEEE Security & Privacy.

[18]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[19]  Jörg Schwenk,et al.  Analysis of Signature Wrapping Attacks and Countermeasures , 2009, 2009 IEEE International Conference on Web Services.

[20]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[21]  Abhinav Nath Gupta,et al.  ATTACKS ON WEB SERVICES NEED TO SECURE XML ON WEB , 2013 .

[22]  Juraj Somorovsky,et al.  On the effectiveness of XML Schema validation for countering XML Signature Wrapping attacks , 2011, 2011 1st International Workshop on Securing Services on the Cloud (IWSSC).

[23]  Lionel C. Briand,et al.  Automated and effective testing of web services for XML injection attacks , 2016, ISSTA.

[24]  Sunita Tiwari,et al.  Survey of potential attacks on web services and web service compositions , 2011, 2011 3rd International Conference on Electronics Computer Technology.

[25]  Lionel C. Briand,et al.  Known XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security.

[26]  Esmiralda Moradian,et al.  Possible attacks on XML Web Services , 2006 .

[27]  Massimiliano Rak,et al.  Intrusion Tolerant Approach for Denial of Service Attacks to Web Services , 2011, 2011 First International Conference on Data Compression, Communications and Processing.

[28]  Fang-Fang Chua,et al.  Intrusion detection and prevention of web service attacks for software as a service: Fuzzy association rules vs fuzzy associative patterns , 2016, J. Intell. Fuzzy Syst..

[29]  Lionel C. Briand,et al.  A Search-Based Testing Approach for XML Injection Vulnerabilities in Web Applications , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[30]  K. P. Jevitha,et al.  Web Services Attacks and Security- A Systematic Literature Review , 2016 .

[31]  G. Deepa,et al.  Securing native XML database-driven web applications from XQuery injection vulnerabilities , 2016, J. Syst. Softw..

[32]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[33]  Hussein Alnabulsi,et al.  GMSA: Gathering Multiple Signatures Approach to Defend Against Code Injection Attacks , 2018, IEEE Access.

[34]  Jitendra Kumar,et al.  XML wrapping attack mitigation using positional token , 2017, 2017 International Conference on Public Key Infrastructure and its Applications (PKIA).

[35]  Nils Gruschka,et al.  Protecting Web Services from DoS Attacks by SOAP Message Validation , 2006, SEC.