ATTACKS ON WEB SERVICES AND MITIGATION SCHEMES

Vipul Patel, Radhesh Mohandas, Alwyn R. Pais

2010

Abstract

Web Services have become dependable platform for e-commerce and many B2B models. Extensive adaptation of Web Services has resulted in a bunch of standards such as WS-Security, WS-Trust etc. to support business and security requirements for the same. Majority of the web services are offered over Http with Simple Object Access Protocol (SOAP) as an underlying exchange infrastructure. This paper describes attacks targeted at Web Services such as XML injection, XSS injection, HTTP header manipulation, sending stale message and other protocol specific attacks. We have used XML Re-Writing mechanism to perform “timestamp modification attack” and WS-Trust, WS-SecureConversation protocols attack. Schemas stated in WSDL file may not be accurate enough to validate messages effectively; Schemas should reflect structure of all possible genuine requests. Hence, we have proposed a new self-adaptive schema hardening algorithm to obtain fine-tuned schema that can be used to validate SOAP messages more effectively. We have also proposed mitigation techniques to counter attacks using MIME/DIME attachments.

References

  1. Lindstrom, P., 2004. “Attacking and Defending Web Services”, Spire Research Report.
  2. Vorobiev, A., 2006. “Security Attack Ontology for Web Services”, IEEE Proceedings of the Second International Conference on Semantics, Knowledge, and Grid.
  3. Gruschka, N., 2009. “Vulnerable Cloud: SOAP Message Security Validation Revisited”, IEEE International Conference on Web Services.
  4. Negm, W., 2004. “Anatomy of a Web Services Attack”, Forum Systems.
  5. McIntosh, M. and Austel, P., 2005. “XML signature element wrapping attacks and countermeasures”, In Workshop on Secure Web Services.
  6. Gajek, S., Jensen, M., Liao, L., and Schwenk, J., 2009. "Analysis of signature wrapping attacks and countermeasures", In IEEE International Conference on Web Services.
  7. Jensen, M., Gruschka, N., Herkenhoner, R., Luttenberger, N., 2007. “SOA and Web Services: New Technologies, New Standards - New Attacks”, Fifth European Conference on Web Services.
  8. Gruschka, N., and Luttenberger, N., 2006. “Protecting Web Services from DoS Attacks by SOAP Message Validation", In Proceedings of IFIP International Federation for Information Processing, pp 171-182.
  9. Orrin, S., "The SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats", Intel Corporation.
  10. Bidou, R., 2009. “Attacks on Web Services”, OWASP.
  11. Testing for XML Injection (OWASP-DV-008), [online], Available: http://www.owasp.org/index.php/Testing _for_XML_Injection_(OWASP-DV-008) “Web Services Security: SOAP Message Security 1.0”, OASIS Security Standard, March 2004.
  12. “WS-SecureConversation 1.3”, OASIS Standard, March 2007.
  13. “WS-Trust 1.3”, OASIS Standard, March 2007.
  14. Understanding WS-Security, [online], Available: http:// msdn.microsoft.com/en-us/library/ms977327.aspx
  15. "Web Services Security: SOAP Messages with Attachments (SwA) Profile 1.1", OASIS Standard, Feb 2006.
Download


Paper Citation


in Harvard Style

Patel V., Mohandas R. and R. Pais A. (2010). ATTACKS ON WEB SERVICES AND MITIGATION SCHEMES . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 499-504. DOI: 10.5220/0002960104990504


in Bibtex Style

@conference{secrypt10,
author={Vipul Patel and Radhesh Mohandas and Alwyn R. Pais},
title={ATTACKS ON WEB SERVICES AND MITIGATION SCHEMES},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={499-504},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002960104990504},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - ATTACKS ON WEB SERVICES AND MITIGATION SCHEMES
SN - 978-989-8425-18-8
AU - Patel V.
AU - Mohandas R.
AU - R. Pais A.
PY - 2010
SP - 499
EP - 504
DO - 10.5220/0002960104990504