Figure 2 - uploaded by Esmiralda Moradian
Content may be subject to copyright.
![UDDI registry (Source: Erl [24] Online documentation)](profile/Esmiralda-Moradian-2/publication/241442248/figure/fig2/AS:298554330501121@1448192307084/UDDI-registry-Source-Erl-24-Online-documentation.png)
Source publication
![Figure 2. UDDI registry (Source: Erl [24] Online documentation)](profile/Esmiralda-Moradian-2/publication/241442248/figure/fig2/AS:298554330501121@1448192307084/UDDI-registry-Source-Erl-24-Online-documentation_Q320.jpg)
Summary Web Services make it easy for organisations to participate in real time communication. The inevitable challenge facing organisations today is to implement adequate Web Services security. The attacks on Web Services might cause halt of the entire network communication or expose confidential information in an organisation. In this paper, we p...
Contexts in source publication
Context 1
... needs to be implemented in an early stage of an application design and/or system development process. This is needed due to the difficulties for application developers to sufficiently understand emerging technologies and their security mechanisms within a limited time and bring them in the process of Web application development. It is necessary to increase awareness and knowledge of what kind of security problems does exist in system development process, in order to prevent problems and remedy problems in early stage of system development process and prevent the security problems to occur. The relationship between Web Services, SOAP, UDDI and WSDL is presented in Figure 1. A schematic view of UDDI registry is presented in Figure ...
Context 2
... defines data structures and API’s (programming interfaces) for publishing service descriptions in the registry and serves as a mechanism for discovering where specific Web Services are provided and who provides them. The information contained in UDDI is categorized in white, yellow and green pages by OASIS (Organization for the Advancement of Structured Information Standards) [33]. In the UDDI registry, a Web services description contains information about business information, service information, binding information and information about specifications of services. This information is described by different entities [1]. Schematic view of UDDI registry is presented in Figure 2. WSDL (Web Services Description Language) describes service interfaces and specifies what data must be provided, but also what will be returned. WDSL is text- based, machine-generated and machine-processed language, usually, used during design and development of Web Services application. In WSDL, specifications are XML documents that describe Web Services and service interfaces. WSDL specifications are characterized by an abstract part and concrete part, where WSDL documents describe logical and concrete details of Web Service. In defining an abstract part of WSDL interface Alonso and Hartman [1], [13] points out four steps: 1) Identify and define all the data structures that will be exchanged between the applications. 2) Define messages by dividing the messages into portions characterized by name and by type. 3) Define operations 1 with four basic operations: one-way, request-response, solicit-response, and notification. 4) Group operations into port types, which define the operations and messages sent or received. The above definitions are considered abstract because no implementation-specific information is specified. For example, the exact set of port types that service implements, the protocol used to transmit the messages is not given, nor is the encoding used for the data. The concrete part describes aspects of the services that are determined by the service provider and contains bindings, services, and ports specifying all the information missing in the abstract part [1], [13]. Discussing the concrete part of a WSDL interface Alonso [1], Hartman [13] and other authors points out three so called constructs: 1) Interface bindings used for specifying the encoding for the messages and the underlying protocol bindings for all operations and messages in a given port type. 2) Ports for specifying the address at which the service is ...
Similar publications
ARTICLE INFO ABSTRACT Corrosion inhibitor is the substance when added to the corrosive solution to protect the corrosion rate of the metal. Organic species are preferred when compared to the inorganic compounds. Therefore, hence, in this investigation selected expired Lifebuoy and Dettol soap and analyze its corrosion inhibition property on the mil...
![Figure 5: An Example J2ME Assembly [4]](profile/Marc-Conrad-3/publication/253527815/figure/fig3/AS:669160803688454@1536551776549/An-Example-J2ME-Assembly-4_Q320.jpg)
Simplicity is the major advantage of REST based webservices. Whereas SOAP is widespread in complex, security sensitive business-to-business aplications, REST is widely used for mashups and end-user centric applicatons. In that context we give an overview of REST and compare it to SOAP. Furthermore we apply the GeoDrawing application as an example f...
Objective. To develop and establish validity for a grading rubric to evaluate diabetes subjective, objective, assessment, plan (SOAP) note writing on primary care (PC) advanced pharmacy practice experiences (APPEs), and to assess reliability and student perceptions of the rubric. Methods. Ten PC APPE faculty members collaborated to develop a rubric...
reveal that phytoplankton blooms with sunny conditions make possible secondary organic contribution to ultrafine particles size and composition, and thus on cloud formation ability, and finally on climate. This is in agreement with other biologically active region observations about the presence of secondary organics even the exact fraction is also...
Citations
... On the other side, in the category related to security issues we found topics linked to problems of "package access", but also to "vulnerable" components that may lead to "security" problems. Regarding the topic "XML", it is important to note that there are a number of security issues involving the configuration of XML parsers and how they interact with the document structure [54,47]. For example, let us consider the validation against untrusted external DTDs (Document Type Declaration) files. ...
Modern version control systems such as Git or SVN include bug tracking mechanisms, through which developers can highlight the presence of bugs through bug reports, i.e., textual descriptions reporting the problem and what are the steps that led to a failure. In past and recent years, the research community deeply investigated methods for easing bug triage, that is, the process of assigning the fixing of a reported bug to the most qualified developer. Nevertheless, only a few studies have reported on how to support developers in the process of understanding the type of a reported bug, which is the first and most time-consuming step to perform before assigning a bug-fix operation. In this paper, we target this problem in two ways: first, we analyze 1,280 bug reports of 119 popular projects belonging to three ecosystems such as Mozilla, Apache, and Eclipse, with the aim of building a taxonomy of the root causes of reported bugs; then, we devise and evaluate an automated classification model able to classify reported bugs according to the defined taxonomy. As a result, we found nine main common root causes of bugs over the considered systems. Moreover, our model achieves high F-Measure and AUC-ROC (64% and 74% on overall, respectively).
... E-business applications tempt attackers who can manipulate the backend of an application which helps in the storage of all personal data. The attacks on various Web Services might generate to stop the entire network communication or might lead to revealing confidential information in an organization [5]. Input Validation: It attacks directly on the modified data parsed by the server. ...
... • Session management Attacks: This leads to vulnerabilities in application which leads to attacks on session management. Due to all the above security issues, a decentralized web authentication system using blockchain is proposed which is not a password-based authentication and authentication is done using AuthKey which is a 160-bit hash and is secured enough to prevent all the above attacks [5]. ...
Over the past decade, a lot of evolution has happened
in the field of security specifically authentication system.
The most commonly used authentication service we use now is
OAuth 2.0 based authentication. In this method, we are dependent
on a 3rd party authentication service provider to which we need
to trust. Though this model is used extensively nowadays, studies
show that it is still vulnerable to several hacks. In addition to
that, the 3rd party authentication provider has total control over
the user data to which they can leak or modify at their will.
Thus the use of OAuth 2.0 based protocol has raised security
and privacy concerns. In this paper, blockchain and its use cases
are studied and an alternative way of authentication service has
been proposed based on Ethereum Blockchain called DAuth.
Furthermore, a prototype has been developed which enables
user authentication on the site. DAuth proposes to enhance
transparency and user control in transactions which involves
identity management.
... On the other side, in the category related to security issues we found topics linked to problems of "package access", but also to "vulnerable" components that may lead to "security" problems. Regarding the topic "XML", it is important to note that there are a number of security issues involving the configuration of XML parsers and how they interact with the document structure [54,47]. For example, let us consider the validation against untrusted external DTDs (Document Type Declaration) files. ...
Modern version control systems, e.g., GitHub, include bug tracking mechanisms that developers can use to highlight the presence of bugs. This is done by means of bug reports, i.e., textual descriptions reporting the problem and the steps that led to a failure. In past and recent years, the research community deeply investigated methods for easing bug triage, that is, the process of assigning the fixing of a reported bug to the most qualified developer. Nevertheless, only a few studies have reported on how to support developers in the process of understanding the type of a reported bug, which is the first and most time-consuming step to perform before assigning a bug-fix operation. In this paper, we target this problem in two ways: first, we analyze 1280 bug reports of 119 popular projects belonging to three ecosystems such as MOZILLA, APACHE, and ECLIPSE, with the aim of building a taxonomy of the types of reported bugs; then, we devise and evaluate an automated classification model able to classify reported bugs according to the defined taxonomy. As a result, we found nine main common bug types over the considered systems. Moreover, our model achieves high F-Measure and AUC-ROC (64% and 74% on overall, respectively).
... It needs to allow for event-based parsing and finally the technique presented a preliminary prototype for drawn-out validation but with little performance and efficiency. It only covered the checking of SOAP XML message [14] [17]. The methodology emphasis only on grammatical authentication of messages afore dispatching them to server. ...
Service Oriented Architecture (SOA), based on
producer consumer model, is vulnerable for malicious code
attacks. Web Services are prone to malicious code attacks due to
the non-availability of state of the art detection and filtration
techniques. There has been considerable work on Web Services
security in the domain of query classification based on XML
structured message. However, there is lack of research work on
malicious code detection based on independent platforms. During
the detection process a scheme should be maintained in a way
which supports the current state of threat and as well as the
coming threats. A rule-based intelligent security cycle, for
malicious code detection, filtration and threat analysis of SOAP
Messages is presented in this research paper. The proposed
technique suggests addressing malicious code detection early in
the design phase of a Web Service. In order to validate this
technique, a case study was devised to detect and filter malicious
code using rule based SOAP service composition. Moreover, the
results showed that by applying this technique the capability of
SOAP Web Service to detect malicious code attacks at runtime
was significantly improved.
... In [3], attacks on Web services are classified into three main classes: (1) infrastructure attacks, which are attacks related to web servers where the Web services reside and also the attacks related to the transport protocol used for exchanging the Web services' request, (2) Web services attacks, that are native to the actual technology fueling Web services, such as WSDL scanning, and (3) XML content attacks, which can be any type of XML-based, content-driven threat that employ the tactic of embedding malicious content with a legitimate XML document. In [4], security problems of XML Web services are investigated and the result of their studies is presented as eight categories of possible attacks on Web services. The categories are as follows [4]: -Identity attacks: dictionary, IP spoofing, message eavesdropping and data tampering attacks. ...
... In [4], security problems of XML Web services are investigated and the result of their studies is presented as eight categories of possible attacks on Web services. The categories are as follows [4]: -Identity attacks: dictionary, IP spoofing, message eavesdropping and data tampering attacks. -Session attacks: replay and man-in-the-middle attacks. ...
... Their specified mechanisms could accommodate a wide variety of security models and encryption technologies. Although WS- Security has improved the security of SOAP messages, it was the base of new threats such as denial of service (DoS) [4]. As stated above, standards are just suggestions to meliorate the situation and other remedies to secure vital Web services must be sought. ...
Web services are software systems designed for supporting interoperable dynamic cross-enterprise interactions. The result of attacks to Web services can be catastrophic and causing the disclosure of enterprises' confidential data. As new approaches of attacking arise every day, anomaly detection systems seem to be invaluable tools in this context. The aim of this work has been to target the attacks that reside in the Web service layer and the extensible markup language (XML)-structured simple object access protocol (SOAP) messages. After studying the shortcomings of the existing solutions, a new approach for detecting anomalies in Web services is outlined. More specifically, the proposed technique illustrates how to identify anomalies by employing mining methods on XML-structured SOAP messages. This technique also takes the advantages of tree-based association rule mining to extract knowledge in the training phase, which is used in the test phase to detect anomalies. In addition, this novel composition of techniques brings nearly low false alarm rate while maintaining the detection rate reasonably high, which is shown by a case study.
... Moradian et al. [6]presented, Web Services security and security concerns together with analysis of possible attacks on SOAP implementation of XML Web Services over HTTP. ...
... These attacks exploit various vulnerabilities in the XML processing mechanism, for example, soft spots of XML parsers or weaknesses of input verification procedures in the target server application. Most common XML attacks include: input validation attacks [28]; probing [40]; malware infiltration; buffer overflow [28,40]; XML parameter poisoning [40,37]; CDATA field attacks [40,37]; SQL injection [28,40,37]; cross-site scripting [28]; schema poisoning [25]; denial of service (DoS); Distributed DoS; XML bombardment; DOM parser DoS attacks; XML Bomb [38] and repetition attacks. These XML attacks usually produce XML anomalies since they appear as string expressions (or by other data types) that are very unlikely to occur with respect to the most common XML documents in their domain. ...
... These attacks exploit various vulnerabilities in the XML processing mechanism, for example, soft spots of XML parsers or weaknesses of input verification procedures in the target server application. Most common XML attacks include: input validation attacks [28]; probing [40]; malware infiltration; buffer overflow [28,40]; XML parameter poisoning [40,37]; CDATA field attacks [40,37]; SQL injection [28,40,37]; cross-site scripting [28]; schema poisoning [25]; denial of service (DoS); Distributed DoS; XML bombardment; DOM parser DoS attacks; XML Bomb [38] and repetition attacks. These XML attacks usually produce XML anomalies since they appear as string expressions (or by other data types) that are very unlikely to occur with respect to the most common XML documents in their domain. ...
... These attacks exploit various vulnerabilities in the XML processing mechanism, for example, soft spots of XML parsers or weaknesses of input verification procedures in the target server application. Most common XML attacks include: input validation attacks [28]; probing [40]; malware infiltration; buffer overflow [28,40]; XML parameter poisoning [40,37]; CDATA field attacks [40,37]; SQL injection [28,40,37]; cross-site scripting [28]; schema poisoning [25]; denial of service (DoS); Distributed DoS; XML bombardment; DOM parser DoS attacks; XML Bomb [38] and repetition attacks. These XML attacks usually produce XML anomalies since they appear as string expressions (or by other data types) that are very unlikely to occur with respect to the most common XML documents in their domain. ...
Many information systems use XML documents to store data and to interact with other systems. Abnormal documents, which can be the result of either an on-going cyber attack or the actions of a benign user, can potentially harm the interacting systems and are therefore regarded as a threat. In this paper we address the problem of anomaly detection and localization in XML documents using machine learning techniques. We present XML-AD – a new XML anomaly detection framework. Within this framework, an automatic method for extraction of feature from XML documents as well as a practical method for transforming XML features into vectors of fixed dimensionality was developed. With these two methods in place, the XML-AD framework makes it possible to utilize general learning algorithms for anomaly detection. The core of the framework consists of a novel multi-univariate anomaly detection algorithm, ADIFA. The framework was evaluated using four XML documents datasets which were obtained from real information systems. It achieved over 89% true positive detection rate with less than 0.2% of false positives.
... Web Service infrastructures introduce new threats to web-based applications as well as new challenges when it comes to securing them [9]. According to [10], a threat is a possible way a system can be attacked and the threats can be broadly categorized in four classes according to their consequences: (i) Disclosure-it is the unauthorized access to data, (ii) Deception-it is the provision of false data which is believed to be true, (iii) Disruption-it aims at preventing an asset from correct operation, and (iv) Usurpation-it leads to losing control of the asset to an unauthorized entity. One of the major design issues of SOA is meeting its security requirements, since it affects interaction of services and applications in SOA environment [11]. ...
... Due to this web services are vulnerable to attacks. Some common attacks targeting the Web services [1] [18] are discussed below. ...
... Due to this web services are vulnerable to attacks. Some common attacks targeting the Web services [1] [18] are discussed below. ...
Web-Services are very crucial in today's web based business infrastructure. They are able to dilate the way on which business runs. Web-services make services accessible from anywhere and can transform applications to web applications. They are basis of many B2B communications. Due to their effect on business they woo attackers to disrupt the service provided by different means. The objective of this paper is mainly attack avoidance based on data mining. We are presenting a prototype of model for attack avoidance on web-services. The model can intelligently avoid some types of attacks on web-services. The aim here is to rectify avoidance probabilities of attacks and decrease false positives and false negatives.
