Conference PaperPDF Available

Abstract

Web services inherited many well-known security problems of Web applications and brought new ones. Major data breaches today are consequences of bad input validation at the application level. This paper presents a way to implement an input validation model for Web services which can be used to prevent cross-site scripting and SQL injection through the use of predefined models which specify valid inputs. The proposed WSIVM (Web Services Input Validation Model) consists of an XML schema, an XML specification, and a module for performing input validation according to the schema. A case study showing the effectiveness and performance of this mechanism is also presented.
A Validation Model of Data Input
for Web Services
Rafael B. Brinhosa, Carla M. Westphall, Carlos B.
Westphall, Daniel R. dos Santos, Fábio Grezele
The Twelfth International Conference on Networks - ICN 2013
January 27 - February 1, 2013 - Seville, Spain
Westphall, Daniel R. dos Santos, Fábio Grezele
Post Graduation Program in Computer Science
Federal University of Santa Catarina
{ brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br
1
Content at a GlanceContent at a Glance
Introduction and Related Works
Security Issues in Web Services
A Validation Model of Data Input for Web
Service (WSIVM)
Service (WSIVM)
Implementation Results
Development
Case Study
Conclusions and Future Works
2
SOA is based on web services but there are
security related concerns
The lack of proper input validation is a major
cause of data breaches and Web application
attacks
IntroductionIntroduction
Application attacks: SQL injection and cross-site
scripting (XSS)
Web Services Input Validation Model: an XML schema,
an XML specification and a module for performing input
validation according to the schema
3
Introduction Introduction –– Web ServicesWeb Services
Find Web services which meet
certain requirements
(Universal Description, Discovery and
Integration)
Services describe their own
properties and methods
properties and methods
(Web Services Description Language)
Format of requests(client) and
responses (server)
(Simple Object Access Protocol)
Message transfer protocol
(Hypertext Transfer Protocol)
4
Introduction Introduction –– Web ServicesWeb Services
Figure available from: http://gdp.globus.org/gt4-tutorial
5
Related WorkRelated Work
Lack of input validation is a major cause of Web
application attacks
SANS, 2011: The Top Cyber Security Risks
OWASP 2010: OWASP top 10 Web application
security risks
[T. Scholte, D. Balzarotti, E. Kirda, 2011]
-
[T. Scholte, D. Balzarotti, E. Kirda, 2011]
-
vadis? A study of the evolution of input
validation vulnerabilities in Web applications”
Few specific mechanisms for Web Services
[N. A. Nordbotten, 2009] [L. Sun and Y. Li, 2008]
use XML security technologies (encryption)
6
Related WorkRelated Work
WS-Security Wrapper: is an intermediate between
the Web service and the client; is an adapter
program that converts plain XML exchanges to and
from SOAP with WS-Security (XML signature and
encryption). It does not include features such as
validation of predefined data entries
[J. Lin and J. Chen, 2009]
[J. Lin and J. Chen, 2009]
Collects web pages (crawler), identify weak
points and test them
insert the input validation (meta-programs) on
the server side, acting as a web application
firewall
many false positives with blacklist approach
7
Related WorkRelated Work
IAPF (Integrated Application and Protocol Framework)
[N. Sidharth and J. Liu, 2007]:
Protection in UDDI, WSDL, SOAP (WS-Sec)
XML firewall:
[A. Blyth, 2009] is concerned with validation of
[A. Blyth, 2009] is concerned with validation of
the structure of XML content but not the
content itself
[Y. Loh, W. Yau, C. Wong, and W. Ho, 2006]
mentions protection against SQL injection
through an XML schema and a precompiled
blacklist of SQL commands, an approach which
tends to produce many false positives
8
WSDL scanning: to reveal sensitive information
about invocation patterns, underlying technology
implementations
Serious and important data manipulation attacks:
SQL injection and XSS
Normal firewalls, antivirus and using WS
-
Security
Security Issues in Web ServicesSecurity Issues in Web Services
Normal firewalls, antivirus and using WS
-
Security
standards are not able to protect web services
against SQL injection and XSS attacks
9
Databases
Legacy Systems
Web Services
Directories
Human Resrcs
Billing
Custom Code
APPLICATION
ATTACK
Application Layer
Accounts
Finance
Administration
Transactions
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT * FROM
accounts WHERE
acct=‘OR 1=1--
’"
1. Application presents a form to
the attacker
2. Attacker sends an attack in the
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
Account:
SKU:
Account:
SKU:
SQL Injection SQL Injection –– IllustratedIllustrated
Firewall
Hardened OS
Web Server
App Server
Firewall
Network Layer
2. Attacker sends an attack in the
form data
3. Application forwards attack to
the database in a SQL query
4. Database runs query containing
attack and sends encrypted results
back to application
5. Application decrypts data as
normal and sends results to the user
Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
10
SQL Injection: by sending SOAP requests with
properly handled parameters, for example, “'"1=1
–” as a parameter for a particular service
Security Issues in Web ServicesSecurity Issues in Web Services
ERROR: The query was not accomplished. Description:
1064 - You have an error in your SQL syntax; check the
manual that corresponds to your
MySQL
server
version
manual that corresponds to your
MySQL
server
version
for the right syntax to use near '1=1'' at line 1
Line 11: Incorrect syntax near '')) or ItemId in (select
ItemId from dbo.GetItemParents('4''. Unclosed
quotation mark before the character string ')) ) ) > 0 ‘
11
Heartland Payment SystemsHeartland Payment Systems
12
Available from: http://www.databreaches.net/?p=7691
Heartland Payment SystemsHeartland Payment Systems
Available from: http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf
13
CrossCross--Site Scripting IllustratedSite Scripting Illustrated
Application with
stored XSS
vulnerability
Attacker sets the trap update my profile
Attacker enters a
malicious script into a
web page that stores
the data on the server
1
Administration
Transactions
Communication
Knowledge
Commerce
Bus. Functions
3
2
Victim views page sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside
victim’s browser with
full access to the DOM
and cookies
Custom Code
Accounts
Finance
Administration
Transactions
Communication
Knowledge
Mgmt
E-
Commerce
Bus. Functions
Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
14
XSS: by presenting unvalidated data directly to
the user, Web services can be attacked. Using, for
example, the command
document.write(xmlhttp.responseText), if the
answer to this AJAX (Asynchronous JavaScript and
XML) call made
to a Web service contains HTML
Security Issues in Web ServicesSecurity Issues in Web Services
XML) call made
to a Web service contains HTML
and JavaScript data, these data will be
interpreted and executed, posing a risk to the
user
15
Validate input data to provide security for Web
Services. Controls on the lexical and syntactic
aspects, type checking
Best way to avoid attacks: whitelist input
validation (sanitization - change input into an acceptable format)
WSIVM WSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model
16
WSIVM WSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model
17
WSIVM WSIVM –– DevelopmentDevelopment
Apache Tomcat Web server
Apache Axis2 framework for SOAP messages
To imp l e me n t th e v a l i d a t i o n m o d u l e f o r A p a c he
Axis2 the Rampart module was used
It was chosen to intercept the message in the
phase
PreDispatch
phase
PreDispatch
WSIVMXMLSchema, WSIVMXMLSpecification, and
WSIVM Rampart module
18
OperationName: the name of the operation
SanitizeOperation: defines whether the parameters of
this operation can be reformulated if necessary for the
removal of characters that are not accepted
ParamName: the name of the parameter or field
Allowed: an allowed field type, which is valid (text, html,
html+java
-
script, email, number, and all)
WSIVM WSIVM –– WSIVMXMLSpecificationWSIVMXMLSpecification
html+java
-
script, email, number, and all)
Length: specifies the exact size of the field
Maxsize: specifies the maximum field size
Minsize: specifies the minimum field size
Nillable: determines whether or not it is possible that
the field is null (true or false)
regEx: allows a regular expression to be specified for
validation
19
Case StudyCase Study
Case Study: Client Application + Web Service
UniversityManager web service:
searchStudent receives a registration number
(ID) and returns the student record containing
a String with his or her information
registerStudent
operation receives the
registerStudent
operation receives the
information, which must not contain HTML or
Javascript code, and registers it on the MySQL
database. In the database a student’s table is
created: ID, name, age, email, comment,
site, and birthday
20
WSIVMXMLSpecification
WSIVMXMLSpecificationUniversityManager
<?xml version="1.0" encoding="UTF-8"?>
<valid_inputs_specification mlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
WebServiceID=“UniversityManager"
xsi:noNamespaceSchemaLocation="valid_inputs_specification.xsd">
<operation name="registerStudent ">
<input name="name" type="String" min="5" max="20" accept="text" sanitize="true"/>
<input name="age" type="Integer" min="0" max="150" accept="number"
sanitize="true"/>
<
input
name
="
email
"
type
="
String
"
min
="
0
"
max
="
200
"
accept
="
email
"
sanitize
="
true
"/>
<
input
name
="
email
"
type
="
String
"
min
="
0
"
max
="
200
"
accept
="
email
"
sanitize
="
true
"/>
<input name="comment" type="String" min="0" max="200" accept="text"
sanitize="true"/>
<input name="site" type="String" min="0" max="300" accept="url" sanitize="true"/>
<input name="data" type="String" min="0" max="200" accept="regex" regexpattern=
"(\\d{4})-(\\d{2})-(\\d{2})" sanitize="true"/>
</operation>
<operation name="searchStudent ">
<input name="id" type="Integer" min="0" max="10000" accept="number"
sanitize="true"/>
</operation>
</valid_inputs_specification>
21
Case Study Case Study -- ResultsResults
Experiments:
With and without WSIVM
150 users
The test runs for 300 seconds
soapUi: direct calls to the web service
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:univ
="http://university.wsivm.example">
xmlns:univ
="http://university.wsivm.example">
<soap:Header/><soap:Body>
<univ:registerStudent>
<univ:name>John</univ: name >
<univ:age>12</univ: age >
<univ:email>john@hsj.com</univ:email>
<univ:comment>Passed</univ: comment >
<univ:site>http://www.univ.com</univ:site>
<univ:birthday>1980-09-12</univ: birthday >
</univ: registerStudent >
</soap:Body></soap:Envelope>
22
ComparisonComparison
Min.Min.
TimeTime
Without
WSIVM
35 ms
Max.Max.
TimeTime
27848
ms
Case Study Case Study -- ResultsResults
AvgAvg..
TimeTime
2494,85
ms
TransferredTransferred
BytesBytes
1974195 B
B/sB/s
6506 B/s
InsertionsInsertions
In DBIn DB
10078
With WSIVM
64 ms
Total
83 %
13346
ms
-52 %
4541,24
ms
82 %
1236330 B
-37 %
4012 B/s
-38 %
5134
-49 %
23
ConclusionsConclusions
Reusable and independent mechanism for data
entry validation, regardless of the
implementation of the web service
Based on the white list approach (reduction in
false positives)
More reliable than the blacklist. If a blacklist is
More reliable than the blacklist. If a blacklist is
created based on the current version of HTML,
in the case of new versions, this list may no
longer be considered valid
The number of false positives or false
negatives will depend on the WSIVM XML
Specification defined
24
ConclusionsConclusions
The framework provides the specification
to be customized according to the Web Service
requirements and needs
Prevention of data injection attacks in Web
services and the waste of server processing with
invalid messages
invalid messages
Reduces the possibility of denial of service using
content of messages
Negative impact on the performance of the
developed Web service but reduces the possibility
of inserting invalid data
Solution for legacy applications reducing
development costs
25
Optimization of the implementation to improve
the performance of the proposed model
Development of a semi-automatic generator of
security specifications from WSDL
Verification of SOAP messages and paths in XPath
format
Future WorkFuture Work
format
Use of artificial intelligence or an anomaly
detection system
Making a feedback loop filter validation of invalid
entries
26
Some ReferencesSome References
1. OWASP Top Ten - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
2. T. Scholte, D. Balzarotti, and E. Kirda, “Quo vadis? A studyoftheevolutionofinputvalidation
vulnerabilities in Web applications,” in Proc. Int. Conference on Financial Cryptography and Data
Security '11,St.Lucia,2011.
3. N. A. Nordbotten, “XML and Web services security standards,” Communications Surveys & Tutorials,
IEEE,vol.11,no.3,pp.421,2009.
4. L. Sun and Y. Li, “XML and Web services security,” in Proc. 12th Int. Conf. Computer Supported
Cooperative Work in Design, CSCWD 2008,April1618,pp.765770.
5. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int.
Computer Software and Applications Conf., 2007, COMPSAC 2007,Jul.2427,vol.1,pp.2330.
6. WS-Security Wrapper - http://wsswrapper.sourceforge.net/
7.
J
.
Lin
and
J
.
Chen,
“An
automated
mechanism
for
secure
input
handling,”
Journal
of
Computers
,
vol
.
7.
J
.
Lin
and
J
.
Chen,
“An
automated
mechanism
for
secure
input
handling,”
Journal
of
Computers
,
vol
.
4, no. 9, pp. 837–844, 2009.
8. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int.
COMPSAC 2007,Jul.2427,vol.1,pp.2330.
9. A. Blyth, “An architecture for an XML enabled firewall,” International Journal of Network Security,
vol. 8, no. 1, pp. 31–36, 2009, ISSN 1816–3548.
10. Y. Loh, W. Yau, C. Wong, and W. Ho, “Design and implementation of an XML firewall,” in Proc. 2006 Int.
Conf. Computational Intelligence and Security,Nov.36,vol.2,pp.11471150.
11. CWE/SANS TOP 25 Most Dangerous Software Errors -
http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf
12. R. Wu and M. Hisada, “SOA Web Security and Applications”, Te c h no l o g y ,vol.9,n
o
.2,p.163-177,2010.
13. T. Scholte, W. Robertson, D. Balzarotti, E. Kirda, "Preventing Input Validation Vulnerabilities in Web
Applications through Automated Type Analysis," in Proc. 2012 IEEE 36th Annual COMPSAC 2012 ,pp.233-
243, July 2012.
27
Thank you!Thank you!
Rafael B. Brinhosa, Carla M. Westphall, Carlos B. Westphall,
Daniel R. dos Santos, Fábio Grezele
{ brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br
28
... In a simple word, web service can be described as independent software components that accept requests and return responses over the Internet. Web services are the components used in establishing service-oriented architecture (SOA) architecture [7]- [12] that converts the Internet from a repository of data to a repository of interactive services [13], [14]. Web service technology also opens a new cost-efficient form for software engineers to quickly develop and publish web applications by dynamically combining their applications with other published web service components to execute new business transactions [15]. ...
Article
Full-text available
Web services provide a uniform framework to achieve a high level of interaction between distributed heterogeneous software systems and data resources shared over the Internet. Producing a well-designed web service is significant because it leads to a more understandable service and a higher level of interaction and leads to effective software maintainability. However, web service is suffering from a poor design problem named anti-patterns. Analysis of the literature returned a plethora of studies on anti-patterns that caused difficulties for developers to synthesize and summarized the possible types of anti-patterns and further comprehend each of them. Due to this limitation, this paper aims to provide organized literature on the types of anti-patterns found in web services. A scoping review was conducted by searching scholarly documents, analyzing, and classified them based on their anti-pattern types. The review provided in this paper could be used as a guide for developers to identify the anti-patterns that could be found in web services.
... Geospatial data validation is essential prior to data visualization and workflow invocation. The data validation was applied in web service tests by means of generating test data sets for conventional data types in WSDL (Bai et al. 2005), and a validation model was proposed to verify the input data in web service invocation process (Brinhosa et al. 2013). But these validation models are inadequate for verification of geospatial data in geoprocessing workflows. ...
Article
Full-text available
Geospatial web service composition is a promising means for processing and analyzing geospatial data in distributed computing environments. However, convenient and effective approaches for assisting the invocation of geoprocessing workflows are still missing. Invocation errors frustrate users and eventually impact the popularity and application of geoprocessing workflows due to their complexity, inadequate description, constraints, and prompts for input/output parameters, workflow models, and their components. This article proposes an extension method for easy invocation of geoprocessing workflows to solve these problems. The proposed method facilitates the generation of Graphical User Interfaces (GUIs) and invocation messages, for human-computer interaction and client-workflow interaction respectively, by supplementing verification and constraints for workflow descriptions. Furthermore, by providing descriptive information, constraint mechanisms, and visualization functions, this approach enhances human-computer interactivity during invocation. An exemplary user case demonstrates the feasibility of the method.
... So, to depict geodata, GIServices must use complicated message structures in contrast to regular web services. Validation models for restricting data input are proposed to verify whether the data type of a user`s input is accurate in the web service invocation process [12,13]. Data validation is also usually applied in web service tests by means of generating test data sets for conventional data types in WSDL [14], but ...
Conference Paper
Full-text available
Web Services Description Language (WSDL) is an XML-based specification for describing the functionalities provided by web services [1], and widely-adopted in the IT industry. However, the message types defined in WSDL for interoperation are insufficient when describe complex data (such as, geodata) by using conventional data types in many application scenarios. For example, geodata (such as, a digital image captured through remote sensing technologies) is usually described and located simply as an URL string. Since important metadata information for description and verification are missing, neither providers nor users have good experiences with the current GIServices described in WSDL. In this paper, we extend the WSDL specification to support description of complex geodata. This extended WSDL is more pragmatic and effective than the standard WSDL in GIService-specific scenarios.
... Segundo Grobauer, Walloschek e Stocker (2011) as tecnologias utilizadas para prover os serviços de nuvem trazem consigo possíveis problemas de segurança. Por exemplo, os meios de acesso aos recursos armazenados na nuvem tendem a ser inseguros, assim como as aplicações web e web services muitas vezes utilizados para a gerência das nuvens apresentam um longo histórico de problemas de segurança (BRINHOSA et al., 2013). ...
Thesis
Full-text available
Cloud computing is a distributed computing model that still faces problems. New ideas emerge to take advantage of its features and among the research challenges found in cloud computing, we can highlight Identity and Access Management. The main problems of the application of access control in the cloud are the necessary flexibility and scalability to support a large number of users and resources in a dynamic and heterogeneous environment, with collaboration and information sharing needs. This research work proposes the use of risk-based dynamic access control for cloud computing. The proposal is presented as an access control model based on an extension of the XACML standard with three new main components: the Risk Engine, the Risk Quantification Web Services and the Risk Policies. The risk policies present a method to describe risk metrics and their quantification, using local or remote functions. The use of risk policies allows users and cloud service providers to define how they wish to handle risk-based access control for their resources, using quantification and aggregation methods presented in related works. The model reaches the access decision based on a combination of XACML decisions and risk analysis. A specification of the risk policies using XML is presented and a case study using cloud federations is described. A prototype of the model is implemented, showing it has enough expressivity to describe the models of related works. In the experimental results, the prototype reaches access decisions using policies based on related works with a time between 2 and 6 milliseconds. A discussion on the security aspects of the model is also presented.
Book
Full-text available
Os principais problemas associados à implementação e uso da gerência de redes e serviços ocorrem devido à grande quantidade de proposições, padrões e de diferentes produtos oferecidos no mercado, dificultando consideravelmente a tomada de decisão no que se refere a utilização da abordagem de gerência de redes e serviços mais adequada. Além disso, novas tendências na área de gerência de redes e serviços vêm sendo pesquisadas, entre estas destacam-se: gerência de redes sem fio, de sensores, óticas, futura internet...; áreas funcionais de segurança, configuração, desempenho, contabilidade...; gerência de serviços de multimídia, data centers, grid, cloud, virtualização...; e gerência centralizada, autonômica, distribuída, auto- gerência, baseada em políticas... Estas novas tendências vêm sendo pesquisadas no Laboratório de Redes e Gerência (LRG) da UFSC e a partir deste projeto as mesmas poderão ser aperfeiçoadas através das seguintes atividades deste projeto: - Aperfeiçoamentos no monitoramento para computação em nuvem. - Aperfeiçoamentos na gerência autonômica para computação em nuvem. - Aperfeiçoamentos na gerência de segurança para computação em nuvem. - Aperfeiçoamentos na análise de riscos para computação em nuvem. - Aperfeiçoamentos no gerenciamento de identidade para computação em nuvem. - Aperfeiçoamentos nas redes bayesianas para gerência de computação em nuvem. - Aperfeiçoamentos na sustentabilidade para computação em nuvem.
Conference Paper
Full-text available
The SOA architecture primarily based on Web services is experiencing a steady adoption, although its growth was lower than expected when it was launched, mainly because of security related concerns. Web services inherited many well-known security problems of Web applications and brought new ones. Major data breaches today are consequences of bad input validation at the application level. This paper presents a way to implement an input validation model for Web services which can be used to prevent cross-site scripting and SQL injection through the use of predefined models which specify valid inputs. The proposed WSIVM (Web Services Input Validation Model) consists of an XML schema, an XML specification, and a module for performing input validation according to the schema. A case study showing the effectiveness and performance of this mechanism is also presented.
Article
Full-text available
XML and Web services are widely used in current distributed systems. The security of the XML based communication, and the Web services themselves, is of great importance to the overall security of these systems. Furthermore, in order to facilitate interoperability, the security mechanisms should preferably be based on established standards. In this paper we provide a tutorial on current security standards for XML and Web services. The discussed standards include XML Signature, XML Encryption, the XML Key Management Specification (XKMS), WS-Security, WS-Trust, WS-SecureConversation, Web Services Policy, WS-SecurityPolicy, the eXtensible Access Control Markup Language (XACML), and the Security Assertion Markup Language (SAML).
Conference Paper
Full-text available
Service Oriented Architecture (SOA) based on Web Services technology gained popularity because business work flows can easily be executed as an orchestration of Web Services. These Web Services are independently developed and may be internal or external. With increase in connectivity among the Web Services, security risks rise exponentially. Moreover the security requirements are not defined at organizational level rather they left until the technical level. Many security problems related to SOA applications are highlighted by different authors which if not properly managed might have serious consequences. Various Model Driven Security Frameworks are presented by different research groups to overcome the security problems of SOA based applications. In this paper we have highlighted the security problems for SOA based applications and few Model Driven Security Frameworks are presented to develop secure software applications; their working style and security goals are also discussed in the course of paper.
Book
Winner of the Best Book Bejtlich Read in 2009 award! "SQL injection is probably the number one problem for any server-side application, and this book is unequaled in its coverage." Richard Bejtlich, http://taosecurity.blogspot.com/. SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information to turn to for help. This is the only book devoted exclusively to this long-established but recently growing threat. It includes all the currently known information about these attacks and significant insight from its contributing team of SQL injection experts. • What is SQL injection?-Understand what it is and how it works • Find, confirm, and automate SQL injection discovery • Discover tips and tricks for finding SQL injection within the code • Create exploits using SQL injection • Design to avoid the dangers of these attacks.
Article
IntroductionSecure Development Lifecycle Processes – An OverviewA Typical Security Engineering ProcessImportant Security Engineering Guidelines and ResourcesConclusion References
Conference Paper
Web services provide a means to communicate easily between applications to exchange information. However, the lack in security features provided by Web services creates a window of opportunities for attackers. This paper presents the design of the architecture and filtering policies for an XML firewall. The firewall is implemented using Java language. We conduct a series of tests for verifying the functionality of the firewall. The results of the tests show that the firewall is capable of allowing valid SOAP messages while blocking malicious SOAP messages that contain attacks such as oversized payloads, recursive pay loads, and SQL injections
Conference Paper
This paper describes the research conducted to develop Nedgty, the open source Web services firewall. Nedgty secures Web services by applying business specific rules in a centralized manner. It has the ability to secure Web services against denial of service, buffer overflow, and XML denial of service attacks; as well as having an authorization mechanism.
Conference Paper
Web applications have become important services in our daily lives. Millions of users use web applications to obtain information, perform financial transactions, have fun, socialize, and communicate. Unfortunately, web applications are also frequently targeted by attackers. Recent data from SANS institute estimates that up to 60% of Internet attacks target web applications. In this paper, we perform an empirical analysis of a large number of web vulnerability reports with the aim of understanding how input validation flaws have evolved in the last decade. In particular, we are interested in finding out if developers are more aware of web security problems today than they used to be in the past. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Hence, despite awareness programs provided by organizations such as MITRE, SANS Institute and OWASP, application developers seem to be either not aware of these classes of vulnerabilities, or unable to implement effective countermeasures. Therefore, we believe that there is a growing need for languages and application platforms that attack the root of the problem and secure applications by design.
Book
Web services based on the eXtensible Markup Language (XML), the Simple Object Access Protocol (SOAP), and related standards, and deployed in Service-Oriented Architectures (SOA), are the key to Web-based interoperability for applications within and across organizations. It is crucial that the security of services and their interactions with users is ensured if Web services technology is to live up to its promise. However, the very features that make it attractive - such as greater and ubiquitous access to data and other resources, dynamic application configuration and reconfiguration through workflows, and relative autonomy - conflict with conventional security models and mechanisms. Elisa Bertino and her coauthors provide a comprehensive guide to security for Web services and SOA. They cover in detail all recent standards that address Web service security, including XML Encryption, XML Signature, WS-Security, and WS-SecureConversation, as well as recent research on access control for simple and conversation-based Web services, advanced digital identity management techniques, and access control for Web-based workflows. They explain how these implement means for identification, authentication, and authorization with respect to security aspects such as integrity, confidentiality, and availability. This book will serve practitioners as a comprehensive critical reference on Web service standards, with illustrative examples and analyses of critical issues; researchers will use it as a state-of-the-art overview of ongoing research and innovative new directions; and graduate students will use it as a textbook on advanced topics in computer and system security.
Article
Web services are increasingly being provided and consumed in and between cloud environments. Learn how to leverage various interoperable standards to address security challenges in a cloud or distributed Web services architecture.