article

Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security

Authors:

M. I. P. Salas,

E. MartinsAuthors Info & Claims

Electronic Notes in Theoretical Computer Science (ENTCS), Volume 302

Pages 133 - 154

https://doi.org/10.1016/j.entcs.2014.01.024

Published: 01 February 2014 Publication History

Abstract

Due to its distributed and open nature, Web Services give rise to new security challenges. This technology is susceptible to Cross-site Scripting (XSS) attack, which takes advantage of existing vulnerabilities. The proposed approach makes use of two Security Testing techniques, namely Penetration Testing and Fault Injection, in order to emulate XSS attack against Web Services. This technology, combined with WS-Security (WSS) and Security Tokens, can identify the sender and guarantee the legitimate access control to the SOAP messages exchanged. We use the vulnerability scanner soapUI that is one of the most recognized tools of Penetration Testing. In contrast, WSInject is a new fault injection tool, which introduces faults or errors on Web Services to analyze the behavior in an environment not robust. The results show that the use of WSInject, in comparison to soapUI, improves the detection of vulnerability allows to emulate XSS attack and generates new types of them.

References

[1]

http://msdn.microsoft.com/en-us/library/ms977312.aspx

Google Scholar

[2]

J. Holgersson, E. Soderstrom, Web Service Security-Vulnerabilities and Threats within the Context of WS-Security. SIIT 2005, ITU.

Google Scholar

[3]

De Melo, A.C.V. and Silveira, P., Improving Data Perturbation Testing Techniques for Web Services. The International Journal on Information Sciences.

Crossref

Google Scholar

[4]

Injeo de Ataques Baseados em Modelo para Teste de Protocolos de Segurana. 15, May 2009. Institute of Computing, UNICAMP, State University of Campinas, Brazil.

Google Scholar

[5]

C. Cachin, J. Camenisch, Malicious and Accidental-Fault Tolerance in Internet Applications: Reference Model and Use Cases, LAAS, MAFTIA, 2000.

Google Scholar

[6]

Web services: Security Challenges. In: Proceedings of the World Congress on Internet Security, IEEE Press.

Google Scholar

[7]

soapUI, {software}, Version 4.5, Eviware, the Web Services Testing tool Security Testing Tool, URL: http://www.soapui.org.

Google Scholar

[8]

Lawrence, K., Kaler, C., Nadalin, A., Monzillo, R. and Hallam-Baker, P., Web Services Security: SOAP Message Security 1.1 (WS-Security 2006). 2006. OASIS.

Google Scholar

[9]

Eastlake, D., XML Signature Syntax and Processing. 2008. 2nd Edition.

Google Scholar

[10]

D. Eastlake, et al., XML Encryption Syntax and Processing, W3C Recommendation, 2002.

Google Scholar

[11]

Lawrence, K., Kaler, C., Nadalin, A., Monzillo, R. and Hallam-Baker, P., Web Services Security: UsernameToken profile 1.1. 2006. OASIS.

Google Scholar

[12]

Zhao, G., Zheng, W., Zhao, J. and Chen, H., An Heuristic Method for Web-Service Program Security Testing. In: Proceedings of the 2009 Fourth ChinaGrid Annual Conference, CHINAGRID '09, IEEE Computer Society Press, Yantai, China. pp. 21-22.

Crossref

Google Scholar

[13]

Vieira, M., Antunes, N. and Madeira, H., Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: Proceedings of the IEEE/IFIP International Conference on Dependable Systems & Networks, DSN 09, IEEE Computer Society, Lisbon, Porgugal.

Google Scholar

[14]

Cristian, F., Aghili, H., Strong, R. and Volev, D., Atomic Broadcast: From Simple Message Diffusion to Byzabtube Agreement. In: Proceedings of the Twenty-Fifth International Symposium on Fault-Tolerant Computing, IEEE Computer Society Press, Pasadena-CA, USA. pp. 27-30.

Google Scholar

[15]

Carreira, J.V., Costa, D. and Silva, J.G., Fault Injection Spot-Checks Computer System Dependability. Spectrum, IEEE. v36 i8.

Crossref

Google Scholar

[16]

Hsueh, M.C., Tsai, T.K. and Iyer, R.K., Fault Injection Techniques and Tools. IEEE Computer Society Press, Computer. v30 i4.

Crossref

Google Scholar

[17]

Myers, G.J., Sandler, C. and Badgett, T., The Art of Software Testing. 2011. 3rd ed. Wiley Publishing, New Jersey, USA.

Crossref

Google Scholar

[18]

Valenti, A.W. and Martins, E., Testes de Robustez em Web Services por Meio de Injeo de Falhas. 29, Jun 2011. Institute of Computing, UNICAMP, State University of Campinas, Brazil.

Google Scholar

[19]

Canfora, G. and Penta, M., Service-Oriented Architectures Testing: A Survey. In Software Engineering. 2009. Springer-Verlag, Berlin, Heidelberg.

Digital Library

Google Scholar

[20]

Zhou, L., Ping, J., Xiao, H., Wang GeguangPu, Z. and Ding, Z., Automatically Testing Web Services Choreography with Assertions. In: Proceedings of the 12th international Conference on Formal Engineering Methods and Software Engineering. ICFEM'10, Springer-Verlag, Berlin, Heidelberg.

Crossref

Google Scholar

[21]

Rogan D., OWASP WebScarabLite {software}, Version 20070504-1631, Open Web Application Security Project 2011, http://www.owasp.org/software/webscarab.html.

Google Scholar

[22]

Meucci, M., The OWASP Testing Guide v3. Dec 2008. OWASP Foundation, Dec 2008.

Google Scholar

[23]

Zhang, J. and Xu, D., A Mobile Agent-Supported Web Services Testing Platform. In: Proceedings of the IEEE/IFIP International Conference on Embedded and Ubiquitous Computing 2008, EUC'08, volume 2, IEEE Computer Society Press, Shanghai, China.

Digital Library

Google Scholar

[24]

Laranjeiro N., S. Canelas, and M. Vieira, wsrbench: An On-Line Tool for Robustness Benchmarking, in: Proceedings of the IEEE International Conference on Services Computing, 2008, SCC '08, Honolulu, Hawaii, USA, volume 2, 7-11, Jul 2008.

Digital Library

Google Scholar

[25]

GraziaFugini, M., Pernici, B. and Ramoni, F., Quality Analysis of Composed Services through Fault Injection. In: Proceedings of the 2007 International Conference on Business process management, Springer, Berlin, Heidelberg.

Crossref

Google Scholar

[26]

Dao, T.B. and Shibayama, E., Idea: Automatic Security Testing for Web Applications. In: Proceedings of the 1st International Symposium on Engineering Secure Software and Systems, ESSoS '09, Springer-Verlag, Berlin, Heidelberg.

Crossref

Google Scholar

[27]

Raul, G., Case study: Experiences on SQL language fuzz testing. 29, Jun - 02, Jul 2009. Proceedings of the Second International Workshop on Testing Database Systems, DBTest 09, 29, Jun - 02, Jul 2009.ACM Press, Providence-RI, USA.

Crossref

Google Scholar

[28]

Cao, T.D., Phan-Quang, T.T., Felix, P. and Castanet, R., Automated Runtime Verification for Web Services. In: Proceedings of the 2010, IEEE International Conference on Web Services (ICWS), IEEE Computer Society Press, Miami, Florida. pp. 5-10.

Digital Library

Google Scholar

[29]

Seo, J., Kim, H.S., Cho, S. and Cha, S., Web Server Attack Categorization Based on Root Causes and their Locations. In: Proceedings of the International Conference on Information Technology, Coding and Computing, ITCC 2004, IEEE Computer Society Press, Las Vegas-NE, USA. pp. 5-7.

Crossref

Google Scholar

[30]

Bartolini, C., Bertolino, A., Marchetti, E. and Polini, A., WS-TAXI: A WSDL-based Testing Tool for Web Services. In: Proceedings of the International Conference on Software Testing Verification and Validation, 2009, ICST '09, IEEE Computer Society, Denver, Colorado.

Crossref

Google Scholar

[31]

Morais, A., Martins, E., Cavalli, A. and Jimenez, W., Security Protocol Testing Using Attack Trees. In: Proceedings of the International Conference on Computational Science and Engineering, 2009, CSE'09, IEEE Computer Society Press, So Paulo, Brasil. pp. 29-31.

Digital Library

Google Scholar

[32]

Martins, E., Morais, A. and Cavalli, A., Generating Attack Scenarios for the Validation of Security Protocol Implementations. In: Proceedings of the II Brazilian Workshop on Systematic and Automated Software Testing, SBC, Campinas-SP, Brasil.

Google Scholar

[33]

Antunes, N. and Vieira, M., Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services. In: Proceedings of the 15th IEEE Pacific Rim International Symposium on Dependable Computing, 2009, PRDC'09, IEEE Computer Society Press, Shangai, China. pp. 16-18.

Crossref

Google Scholar

[34]

Valenti, A.W., Maja, M.Y., Martins, E., Bessayah, F. and Cavalli, A., WSInject: A Fault Injection Tool for Web Services. July 2010. Institute of Computing, UNICAMP, State University of Campinas, Brazil.

Google Scholar

[35]

Salas, M.I.P. and Martins, E., Metodologia de Testes de Segurana para Anlise de Robustez de Web Services por Injeo de Falhas. Dec 2012. Institute of Computing, UNICAMP, State University of Campinas, Brazil.

Google Scholar

[36]

Dolev, D. and Yao, A., On the Security of Public Key Protocols. In: IEEE Transactions on Information Theory, IEEE Computer Society Press.

Crossref

Google Scholar

[37]

SecurITree {software}, Version 3.4, Calgary-AL, Canada. Amenaza Technologies Limited. URL: http://www.amenaza.com.

Google Scholar

[38]

Williams, J. and Wichers, D., OWASP Top 10. 2010. OWASP Foundation.

Google Scholar

[39]

Kohlert, D. and Arun, G., The Java API for XML-Based Web Services (JAX-WS) 2.1. May 2007.

Google Scholar

[40]

Laranjeiro N., and M. Viera, Testing Web Services for Robustness: A Tool Demo, in: Proceedings of the 12th European Workshop on Dependable Computing, EWDC 2009, Toulouse, Frana, May 2009.

Google Scholar

[41]

Rodrigues, D., Estrella, J.C., Branco, K.R.L.J.C. and Vieira, M., Engineering Secure Web Services, In Performance and Dependability in Service Computing: Concepts, Techniques and Research Directions. Jul 2011. IGI Global.

Google Scholar

Cited By

View all

Alam GMahmood SAlshayeb MNiazi MZafar S(2024)Maturity model for secure software testingJournal of Software: Evolution and Process10.1002/smr.259336:5Online publication date: 25-Apr-2024
https://dl.acm.org/doi/10.1002/smr.2593
Chaleshtari NPastore FGoknil ABriand L(2023)Metamorphic Testing for Web System SecurityIEEE Transactions on Software Engineering10.1109/TSE.2023.325632249:6(3430-3471)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3256322
Gupta CSingh RMohapatra A(2022)GeneMinerComputational Intelligence and Neuroscience10.1155/2022/36758212022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3675821
Show More Cited By

Index Terms

Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security

Recommendations

Security Testing Methodology for Evaluation of Web Services Robustness - Case: XML Injection
SERVICES '15: Proceedings of the 2015 IEEE World Congress on Services

A Web Service is a software system designed to support interoperable machine-to-machine interaction over a network, it also provides a standard means of interoperating between different software applications. However, Web Services have raised new ...
Penetration Testing Tool for Web Services Security
SERVICES '12: Proceedings of the 2012 IEEE Eighth World Congress on Services

XML-based SOAP Web Services are a widely used technology, which allows the users to execute remote operations and transport arbitrary data. It is currently adapted in Service Oriented Architectures, cloud interfaces, management of federated identities, ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...

Reviews

Reviewer: Jesus Villadangos-Alonso

Websites, like most other software components, are vulnerable to attacks. Cross-site scripting (XSS) attacks are a type of malicious code injection in which malicious scripts are injected into websites. Currently, many websites are used to execute software components called web services. In my opinion, web services can be considered the most important components to integrate different software technologies. Web services security, defined in the Web Services Security (WS-Security) standard, is important for analyzing XSS attacks. In this paper, the authors analyze the robustness of web services using security testing techniques. This is a very practical paper. The authors describe in detail how to test vulnerabilities in web services, and how to discover new vulnerabilities during software development before attackers exploit them. The paper shows how certain tools can be used to analyze the presence of vulnerabilities in web services and emulate an XSS attack. In addition, the authors analyze the robustness of web services with WS-Security, and security tokens against an XSS attack. In the paper, the authors propose a secure testing methodology to address security problems in web services. Although the paper shows that tools are very important, the tool's output should be carefully analyzed to identify real risks. In fact, the authors have established a set of rules to identify clearly which outputs are a risk and which outputs are not actual vulnerabilities. In summary, this is a very interesting paper because the proposed approach is practical. This approach could be used in some programming courses as part of a laboratory. It is very easy to read and the approach is replicable. The paper fails, however, to provide some discussion on secure coding practices. For me, the following question remains: Could secure coding practices when applied to web service programming eliminate their vulnerabilities__?__ Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Electronic Notes in Theoretical Computer Science (ENTCS)

Electronic Notes in Theoretical Computer Science (ENTCS) Volume 302, Issue

February, 2014

173 pages

ISSN:1571-0661

Issue’s Table of Contents

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 01 February 2014

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alam GMahmood SAlshayeb MNiazi MZafar S(2024)Maturity model for secure software testingJournal of Software: Evolution and Process10.1002/smr.259336:5Online publication date: 25-Apr-2024
https://dl.acm.org/doi/10.1002/smr.2593
Chaleshtari NPastore FGoknil ABriand L(2023)Metamorphic Testing for Web System SecurityIEEE Transactions on Software Engineering10.1109/TSE.2023.325632249:6(3430-3471)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3256322
Gupta CSingh RMohapatra A(2022)GeneMinerComputational Intelligence and Neuroscience10.1155/2022/36758212022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3675821
Lee SWi SSon S(2022)Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement LearningProceedings of the ACM Web Conference 202210.1145/3485447.3512234(743-754)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512234
Chaudhary PGupta BSingh A(2022)Adaptive cross-site scripting attack detection framework for smart devices security using intelligent filters and attack ontologySoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-022-07697-227:8(4593-4608)Online publication date: 8-Dec-2022
https://dl.acm.org/doi/10.1007/s00500-022-07697-2
Rojas RMuedas AMauricio DWang YChang C(2019)Security maturity model of web applications for cyber attacksProceedings of the 3rd International Conference on Cryptography, Security and Privacy10.1145/3309074.3309096(130-137)Online publication date: 19-Jan-2019
https://dl.acm.org/doi/10.1145/3309074.3309096
Soultatos OFysarakis KSpanoudakis GKoshutanski HDamiani EBeckers KWortmann DBravos GIoannidis M(2019)The THREAT-ARREST Cyber-Security Training PlatformComputer Security10.1007/978-3-030-42051-2_14(199-214)Online publication date: 26-Sep-2019
https://dl.acm.org/doi/10.1007/978-3-030-42051-2_14
(2018)A study on the security impact of the web services implementation in the Malaysian government's online applicationsInternational Journal of Advanced Intelligence Paradigms10.5555/3270950.327096211:1-2(159-175)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.5555/3270950.3270962
Rao GPrasad RRamesh M(2016)Neutralizing Cross-Site Scripting Attacks Using Open Source TechnologiesProceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies10.1145/2905055.2905230(1-6)Online publication date: 4-Mar-2016
https://dl.acm.org/doi/10.1145/2905055.2905230
Zela Ruiz JRubira C(2016)Quality of Service Conflict During Web Service MonitoringElectronic Notes in Theoretical Computer Science (ENTCS)10.1016/j.entcs.2016.02.007321:C(113-127)Online publication date: 14-Mar-2016
https://dl.acm.org/doi/10.1016/j.entcs.2016.02.007
Show More Cited By

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Security Testing Methodology for Evaluation of Web Services Robustness - Case: XML Injection

Penetration Testing Tool for Web Services Security

Securing web applications from injection and logic vulnerabilities

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations