Conference PaperPDF Available

Proposal and development of the Web services input validation model

  • April 2012
DOI:10.1109/NOMS.2012.6211976
  • Conference: Network Operations and Management Symposium (NOMS), 2012 IEEE
Authors:
Rafael B. Brinhosa at Federal University of Santa Catarina
Rafael B. Brinhosa
Carla Merkle Westphall at Federal University of Santa Catarina
Carla Merkle Westphall
Carlos Becker Westphall at Federal University of Santa Catarina
Carlos Becker Westphall
Download full-text PDF
Read full-text
Download citation

Abstract

The SOA architecture primarily based on Web services is experiencing a steady adoption, although its growth was lower than expected when it was launched, mainly because of security related concerns. Web services inherited many well-known security problems of Web applications and brought new ones. Major data breaches today are consequences of bad input validation at the application level. This paper presents a way to implement an input validation model for Web services which can be used to prevent cross-site scripting and SQL injection through the use of predefined models which specify valid inputs. The proposed WSIVM (Web Services Input Validation Model) consists of an XML schema, an XML specification, and a module for performing input validation according to the schema. A case study showing the effectiveness and performance of this mechanism is also presented.
Content uploaded by Carlos Becker Westphall
Author content
All content in this area was uploaded by Carlos Becker Westphall
Content may be subject to copyright.
8/17/13 5:59 AMIEEE Xplore - Proposal and development of the Web services input validation model
Page 1 of 2http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6211976&ur…g%2Fiel5%2F6203618%2F6211874%2F06211976.pdf%3Farnumber%3D6211976
For Institutional Users:
Institutional Sign In
Athens/Shibboleth
Browse Conference Publications > Network Operations and Manage ...
Proposal and development of the Web
services input validation model
Full Text
Sign-In or Purchase
3
Author(s)
Tweet
Tweet
0
0
Share
Share
Page(s):
643 - 646
ISSN :
1542-1201
E-ISBN :
978-1-4673-0268-5
Print ISBN:
978-1-4673-0267-8
INSPEC Accession Number:
12785205
Conference Location :
Maui, HI
Digital Object Identifier :
10.1109/NOMS.2012.6211976
The SOA architecture primarily based on Web services is experiencing a steady adoption, although
its growth was lower than expected when it was launched, mainly because of security related
concerns. Web services inherited many well-known security problems of Web applications and
brought new ones. Major data breaches today are consequences of bad input validation at the
application level. This paper presents a way to implement an input validation model for Web services
which can be used to prevent cross-site scripting and SQL injection through the use of predefined
models which specify valid inputs. The proposed WSIVM (Web Services Input Validation Model)
consists of an XML schema, an XML specification, and a module for performing input validation
according to the schema. A case study showing the effectiveness and performance of this
mechanism is also presented.
Published in:
Network Operations and Management Symposium (NOMS), 2012 IEEE
Date of Conference: 16-20 April 2012
IEEE.org | IEEE Xplore Digital Library | IEEE Standards | IEEE Spectrum | More Sites
Brinhosa, R.B. ; Dept. of Inf. & Stat., Fed. Univ. of Catarina, Florianópolis, Brazil ; Westphall, C.M. ; Westphall, C.B.
Authors References Cited By Keywords Metrics SimilarAbstract
0
Like
8/17/13 5:59 AMIEEE Xplore - Proposal and development of the Web services input validation model
Page 2 of 2http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6211976&ur…g%2Fiel5%2F6203618%2F6211874%2F06211976.pdf%3Farnumber%3D6211976
Sign In | Create Account
IEEE Account
Change Username/Password
Update Address
Purchase Details
Payment Options
Order History
Access Purchased Documents
Profile Information
Communications Preferences
Profession and Education
Technical Interests
Need Help?
US & Canada: +1 800 678 4333
Worldwide: +1 732 981 0060
Contact & Support
About IEEE Xplore | Contact | Help | Terms of Use | Nondiscrimination Policy | Site Map | Privacy & Opting Out of Cookies
A not-for-profit organization, IEEE is the world's largest professional association for the advancement of technology.
© Copyright 2013 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.
... The WSIVMVerifier contains all the pre-defined rules for validation of entries and is responsible for validating these entries.Figure 5. Operation of WSIVM [29]. ...
... Our previous work published in Brinhosa et al. [29] is a reduced version of these research results. Here, in this paper, we presented in a detailed way: security issues in web services, the WSIVM model as well as the case study development and results obtained with tests. ...
A Validation Model of Data Input for Web Services (Slides)
Conference Paper
Full-text available
  • Jan 2013
Web services inherited many well-known security problems of Web applications and brought new ones. Major data breaches today are consequences of bad input validation at the application level. This paper presents a way to implement an input validation model for Web services which can be used to prevent cross-site scripting and SQL injection through the use of predefined models which specify valid inputs. The proposed WSIVM (Web Services Input Validation Model) consists of an XML schema, an XML specification, and a module for performing input validation according to the schema. A case study showing the effectiveness and performance of this mechanism is also presented.
... If it is not similar to the pattern, it is stated as an invalid and vulnerable input. Among the disadvantages of this method, abundant incorrect positive production can be mentioned [12]. ...
... For implementation of a model to validate an input for services of web an appropriate method should be selected which is helpful in preventing SQL injections and cross-site scripting by using predetermined design for valid input stipulation. The proposed model called WSIVM (Web Services Input Validation Model) [13] give emphasis on data entry validation and allows acceptance of valid entries only, enabling only legitimate entries to be sanctioned as it is in conformity with the with the white-list strategy ,in which only predetermined values are approved and all others are regarded invalid. ...
... Models were proposed by another 18 studies (15.7%). The models proposed were based on the following techniques and approaches: abstraction [13,117], model checking [56,96], model inference and evolutionary fuzzing [28], input validation [21,86,90], simulation [29], signature based model [43], deferred loading, one-time URLs, and subdomain switching [44], threading [85], control flow graph [87], data mining [89], hybrid approach [91], TTCN-3 [115], Finite State Machine [82], and primitive and advanced models [120]. ...
Current State of research on cross-site scripting (XSS) – A systematic literature review
Article
Context Cross-site scripting (XSS) is a security vulnerability that affects web applications. It occurs due to improper or lack of sanitization of user inputs. The security vulnerability caused many problems for users and server applications. Objective To conduct a systematic literature review on the studies done on XSS vulnerabilities and attacks. Method We followed the standard guidelines for systematic literature review as documented by Barbara Kitchenham and reviewed a total of 115 studies related to cross-site scripting from various journals and conference proceedings. Results Research on XSS is still very active with publications across many conference proceedings and journals. Attack prevention and vulnerability detection are the areas focused on by most of the studies. Dynamic analysis techniques form the majority among the solutions proposed by the various studies. The type of XSS addressed the most is reflected XSS. Conclusion XSS still remains a big problem for web applications, despite the bulk of solutions provided so far. There is no single solution that can effectively mitigate XSS attacks. More research is need in the area of vulnerability removal from the source code of the applications before deployment.
Implementation of PSO Algorithm for Detection and Removal of XSS Attack
Article
Full-text available
  • Sep 2022
In recent years, managing the security over the web has gained its importance. Use of appropriate security handling techniques help to solve controversies and to extract interesting scenarios based on the content of the web page. Many varieties of vulnerabilities prevail and Cross-Site Scripting (XSS) vulnerability is ranked among the top ten risks found over the web which is a mandatory issue that requires a solution. XSS vulnerability injects malicious code in many ways that rise during the browsing session. Analysis should be made over the web page to identify whether the page is vulnerable or not. A dataset is formulated that contains malicious and benign data. Malicious data are obtained from the XSS archive [source: www.xssed.com] which contains the vulnerable XSS web pages and benign data are the web pages that are obtained through queries from the Google search engine. The major constraint is the number of Lines of Code (LOC) present in the web page. Five samples from the dataset were considered and algorithms are applied. About 24 attributes are used by the classifier. The samples vary in terms of content and size. Different optimization techniques are applied and the results are analyzed. Evaluation measures like Detection Rate (DR), False Detection Rate (FDR) and F Score (FS) are calculated based on the Confusion Matrix. The final content obtained after the „XSS Handler phase? that is to be displayed on the browser is tested using black box testing technique and also using XSS and SQL Injection Scanner tool. The tool is capable of identifying promising XSS code available in web pages. Based on the experiments, it was observed that the generation of paths using PPACO achieves better results in terms of DR, FDR and FS than other algorithms.
Custom Security in Web Services
Article
  • Aug 2016
Background/Objectives: Service oriented Architecture (SOA) infrastructures using web services are deployed by many firms worldwide. Web Services provide a standard means of inter-operation between heterogeneous software applications that run on a variety of platforms. Most of the web sendees are offered with HTTP over Simple Object Access Protocol (SOAP) as the underlying infrastructure. The greatest web security threat is accepting the request from the client without proper validation. The objective is to separate the application logic and the security or validation procedures which offers more advantage for software reuse since it is not necessary to recompile, when the validation or security requirements change. Methods: An Interceptor is created for validation which has the token based authentication procedures along with the steps for validating the data. The system is devised in such a way that the business logic will be triggered if and only if the data is validated and passed by the interceptor procedures. Findings: The proposed system provides a way to keep the validation and security mechanism out of application logic and hence this does not modify the existing functionality. Thus, combining all custom security as one unit of validation before hitting the business logic is the basic idea of the proposed system.
Rule-Based Web Service Validation
Article
  • Jun 2014
The number of systems communicating using web services has grown exponentially over the years thanks to the service-oriented architecture they enforce. The paradigm shift encouraged system owners to re-use existing services rather than implementing them again as well as consuming third party ones cutting the development time considerably. Since the number of consumers can grow radically it is important to ensure that the exchanged data is valid. In this article we will demonstrate a way to validate and potentially correct both the request and response of web services at run-time using a semantic rule oriented approach. The solution also provides a validation method for black-box systems where the original source code is no longer available or cannot be modified. By combining validation, proxy and correction our approach provides an all-in-one solution that can be leveraged in most scenarios.
A Security Attack Risk Assessment for Web Services Based on Data Schemas and Semantics
Chapter
  • Jan 2013
Security concerns have been raised by Web services providers and consumers since Web services are vulnerable to various security attacks including counterfeiting, disclosure, tampering, disruption, and breach of information. In particular, Web services can be vulnerable if the schemas of the input data are not strong, giving way to security attacks like command injection and denial of service. This chapter proposes an initial assessment of security attack risks for Web services. The assessment begins with an analysis of the input data schemas that are described in the service WSDL document to determine if they are unconstrained and at risk of command injection and denial of service attacks. Then we determine if such a risk can be mitigated by making use of semantic information that is annotated to the input data elements within the WSDL. If the semantic annotation is stronger than the schema elements themselves, we refer to the case of weak interface design in which a redesign of the service interface with stronger schemas should help reduce attack risks. We also propose a risk assessment model for determining quantitatively the attack risk level of a Web service to guide the provider when considering schema hardening as well as the consumer when selecting between different services.
Projeto GESSUCON – GErência, Segurança e SUstentabilidade para COmputação em Nuvem
Book
Full-text available
  • Mar 2014
Os principais problemas associados à implementação e uso da gerência de redes e serviços ocorrem devido à grande quantidade de proposições, padrões e de diferentes produtos oferecidos no mercado, dificultando consideravelmente a tomada de decisão no que se refere a utilização da abordagem de gerência de redes e serviços mais adequada. Além disso, novas tendências na área de gerência de redes e serviços vêm sendo pesquisadas, entre estas destacam-se: gerência de redes sem fio, de sensores, óticas, futura internet...; áreas funcionais de segurança, configuração, desempenho, contabilidade...; gerência de serviços de multimídia, data centers, grid, cloud, virtualização...; e gerência centralizada, autonômica, distribuída, auto- gerência, baseada em políticas... Estas novas tendências vêm sendo pesquisadas no Laboratório de Redes e Gerência (LRG) da UFSC e a partir deste projeto as mesmas poderão ser aperfeiçoadas através das seguintes atividades deste projeto: - Aperfeiçoamentos no monitoramento para computação em nuvem. - Aperfeiçoamentos na gerência autonômica para computação em nuvem. - Aperfeiçoamentos na gerência de segurança para computação em nuvem. - Aperfeiçoamentos na análise de riscos para computação em nuvem. - Aperfeiçoamentos no gerenciamento de identidade para computação em nuvem. - Aperfeiçoamentos nas redes bayesianas para gerência de computação em nuvem. - Aperfeiçoamentos na sustentabilidade para computação em nuvem.
XML and Web Services Security Standards
Article
Full-text available
  • Jan 2009
XML and Web services are widely used in current distributed systems. The security of the XML based communication, and the Web services themselves, is of great importance to the overall security of these systems. Furthermore, in order to facilitate interoperability, the security mechanisms should preferably be based on established standards. In this paper we provide a tutorial on current security standards for XML and Web services. The discussed standards include XML Signature, XML Encryption, the XML Key Management Specification (XKMS), WS-Security, WS-Trust, WS-SecureConversation, Web Services Policy, WS-SecurityPolicy, the eXtensible Access Control Markup Language (XACML), and the Security Assertion Markup Language (SAML).
Model driven security frameworks for addressing security problems of Service Oriented Architecture
Conference Paper
Full-text available
  • Jul 2010
Service Oriented Architecture (SOA) based on Web Services technology gained popularity because business work flows can easily be executed as an orchestration of Web Services. These Web Services are independently developed and may be internal or external. With increase in connectivity among the Web Services, security risks rise exponentially. Moreover the security requirements are not defined at organizational level rather they left until the technical level. Many security problems related to SOA applications are highlighted by different authors which if not properly managed might have serious consequences. Various Model Driven Security Frameworks are presented by different research groups to overcome the security problems of SOA based applications. In this paper we have highlighted the security problems for SOA based applications and few Model Driven Security Frameworks are presented to develop secure software applications; their working style and security goals are also discussed in the course of paper.
SOA Web Security and Applications.
Article
Full-text available
  • Mar 2010
The conventional vulnerability detection fails to extend its generic form to an abstract level in coping with particular type of string validation. Consequently the security bypasses key issues such as Java scripting and SQL injection. It causes tremendous business loss and customers risk due to taint distribution and illegal data manipulation. This paper introduces semantic analysis by using metadata codes, as well as a hierarchical parser in token-based algorithmic check. Our research in SOA web security can help industry to minimize business impact, to achieve higher accuracy in vulnerability detection, and to commit fast responsiveness.
Distributed Systems Security: Issues, Processes and Solutions
Article
  • Feb 2009
IntroductionSecure Development Lifecycle Processes – An OverviewA Typical Security Engineering ProcessImportant Security Engineering Guidelines and ResourcesConclusion References
Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications
Conference Paper
  • Feb 2011
Web applications have become important services in our daily lives. Millions of users use web applications to obtain information, perform financial transactions, have fun, socialize, and communicate. Unfortunately, web applications are also frequently targeted by attackers. Recent data from SANS institute estimates that up to 60% of Internet attacks target web applications. In this paper, we perform an empirical analysis of a large number of web vulnerability reports with the aim of understanding how input validation flaws have evolved in the last decade. In particular, we are interested in finding out if developers are more aware of web security problems today than they used to be in the past. Our results suggest that the complexity of the attacks have not changed significantly and that many web problems are still simple in nature. Hence, despite awareness programs provided by organizations such as MITRE, SANS Institute and OWASP, application developers seem to be either not aware of these classes of vulnerabilities, or unable to implement effective countermeasures. Therefore, we believe that there is a growing need for languages and application platforms that attack the root of the problem and secure applications by design.
Web Services and Service-Oriented Architectures
Book
  • Jan 2010
Web services based on the eXtensible Markup Language (XML), the Simple Object Access Protocol (SOAP), and related standards, and deployed in Service-Oriented Architectures (SOA), are the key to Web-based interoperability for applications within and across organizations. It is crucial that the security of services and their interactions with users is ensured if Web services technology is to live up to its promise. However, the very features that make it attractive - such as greater and ubiquitous access to data and other resources, dynamic application configuration and reconfiguration through workflows, and relative autonomy - conflict with conventional security models and mechanisms. Elisa Bertino and her coauthors provide a comprehensive guide to security for Web services and SOA. They cover in detail all recent standards that address Web service security, including XML Encryption, XML Signature, WS-Security, and WS-SecureConversation, as well as recent research on access control for simple and conversation-based Web services, advanced digital identity management techniques, and access control for Web-based workflows. They explain how these implement means for identification, authentication, and authorization with respect to security aspects such as integrity, confidentiality, and availability. This book will serve practitioners as a comprehensive critical reference on Web service standards, with illustrative examples and analyses of critical issues; researchers will use it as a state-of-the-art overview of ongoing research and innovative new directions; and graduate students will use it as a textbook on advanced topics in computer and system security.
Interoperable Security Standards for Web Services
Article
Web services are increasingly being provided and consumed in and between cloud environments. Learn how to leverage various interoperable standards to address security challenges in a cloud or distributed Web services architecture.
A survey of attacks on web services
Article
  • Nov 2009
Being regarded as the new paradigm for Internet communication, Web Services have introduced a large number of new standards and technologies. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. Along with their severe impact, most of these attacks can be performed with minimum effort from the attacker’s side. This article gives a survey of vulnerabilities in the context of Web Services. As a proof of the practical relevance of the threats, exemplary attacks on widespread Web Service implementations were performed. Further, general countermeasures for prevention and mitigation of such attacks are discussed.
An Automated Mechanism for Secure Input Handling
Article
  • Sep 2009
Numbers of the programs are poorly written, lacking even the most basic security procedures for handling input data from users. The input validation vulnerability can be detected by many tools but few tools can fix the flaws automatically. The security gateway can used to protect vulnerable Web sites immediately but it may induce false recognition through impersonal rule. By means of hybrid analysis and injection test, the vulnerable Web pages can be listed. Only those in vulnerable list need to be checked completely, so as to mitigate the system load and false positives effectively. Moreover an algorithm based on multilevel strategy is proposed producing individual sanitizing rule automatically for every vulnerable injection point. To meet the aim of automated validation, the enhanced crawler, the testing framework and the metaprograms are integrated into a sanitizing mechanism after we analyze the data flow. According to the experimental results, the mechanism has been proved to be a more effective scheme than those traditional input handling methods for mitigating malicious injection.