Automated and Effective Testing of Web Services for XML Injection Attacks

JAN, Sadeeq; NGUYEN, Duy Cu; BRIAND, Lionel

Request a copy

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Automated and Effective Testing of Web Services for XML Injection Attacks

JAN, Sadeeq; NGUYEN, Duy Cu; BRIAND, Lionel

2016 • In ISSTA'16-The International Symposium on Software Testing and Analysis, Saarbrücken 18-20 July 2016

Peer reviewed

Permalink
https://hdl.handle.net/10993/27070

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Final_ISSTA16_xmli_CMR.pdf

Author postprint (863.55 kB)

Request a copy

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

XML Injection; Security Testing; Constraint Solving

Abstract :

[en] XML is extensively used in web services for integration and data exchange. Its popularity and wide adoption make it an attractive target for attackers and a number of XML-based attack types have been reported recently. This raises the need for cost-effective, automated testing of web services to detect XML-related vulnerabilities, which is the focus of this paper. We discuss a taxonomy of the types of XML injection attacks and use it to derive four different ways to mutate XML messages, turning them into attacks (tests) automatically. Further, we consider domain constraints and attack grammars, and use a constraint solver to generate XML messages that are both malicious and valid, thus making it more difficult for any protection mechanism to recognise them. As a result, such messages have a better chance to detect vulnerabilities. Our evaluation on an industrial case study has shown that a large proportion (78.86%) of the attacks generated using our approach could circumvent the first layer of security protection, an XML gateway (firewall), a result that is much better than what a state-of-the-art tool based on fuzz testing could achieve.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust-University of Luxembourg

Disciplines :

Computer science

Author, co-author :

JAN, Sadeeq ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

NGUYEN, Duy Cu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

Automated and Effective Testing of Web Services for XML Injection Attacks

Publication date :

18 July 2016

Event name :

ISSTA'16-The International Symposium on Software Testing and Analysis

Event organizer :

ACM SIGSOFT

Event place :

Saarbrücken, Germany

Event date :

18-07-2016 to 20-07-2016

Audience :

International

Main work title :

ISSTA'16-The International Symposium on Software Testing and Analysis, Saarbrücken 18-20 July 2016

Pages :

12-23

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR6024200 - An Effective Automated Testing Approach For Detection Of Xml Injection, 2013 (15/09/2013-14/09/2017) - Sadeeq Jan

Funders :

FNR - Fonds National de la Recherche

Available on ORBilu :

since 10 May 2016

Statistics

Number of views

380 (36 by Unilu)

Number of downloads

3 (2 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

OWASP. https://www:owasp:org/index:php. Accessed: 2016-11-1.
SmartBear ReadyAPI. http://smartbear:com/product/ready-api/overview/. Accessed: 2015-11-18.
SoapUI. http://www:soapui:org/. Accessed: 2015-11-18.
WS FUZZER Tool. https://www:owasp:org/index:php/Category:OWASP WSFuzzer Project. Accessed: 2015-11-16.
XML Vulnerabilities Introduction. http://resources.infosecinstitute.com/xml-vulnerabilities/. Accessed: 2014-06-22.
D. Appelt, C. Nguyen, and L. Briand. Behind an application firewall, are we safe from sql injection attacks? In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1-10, April 2015.
A. Avancini and M. Ceccato. Circe: A grammar-based oracle for testing cross-site scripting in web applications. In Reverse Engineering (WCRE), 2013 20th Working Conference on, pages 262-271, Oct 2013.
A. Aydin, M. Alkhalaf, and T. Bultan. Automated test generation from vulnerability signatures. In Proceedings of the 2014 IEEE International Conference on Software Testing, Verification, and Validation, ICST '14, pages 193-202, Washington, DC, USA, 2014. IEEE Computer Society.
C. Barrett, C. Conway, M. Deters, L. Hadarean, D. JovanoviÄǦ, T. King, A. Reynolds, and C. Tinelli. Cvc4. In G. Gopalakrishnan and S. Qadeer, editors, Computer Aided Verification, volume 6806 of Lecture Notes in Computer Science, pages 171-177. Springer Berlin Heidelberg, 2011.
C. Bartolini, A. Bertolino, E. Marchetti, and A. Polini. Ws-taxi: A wsdl-based testing tool for web services. In ICST, pages 326-335, 2009.
E. Bertino, L. Martino, F. Paci, and A. Squicciarini. Security for Web Services and Service Oriented Architectures. Springer, 2010.
J. Bozic, D. E. Simos, and F. Wotawa. Attack pattern-based combinatorial testing. In Proceedings of the 9th International Workshop on Automation of Software Test, pages 1-7. ACM, 2014.
J. Chen, Q. Li, C. Mao, D. Towey, Y. Zhan, and H. Wang. A web services vulnerability testing approach based on combinatorial mutation and soap message mutation. Service Oriented Computing and Applications, 8:1-13, 2014.
W. Chunlei, L. Li, and L. Qiang. Automatic fuzz testing of web service vulnerability. In Information and Communications Technologies (ICT 2014), 2014 International Conference on, pages 1-6, May 2014.
A. Ciampa, C. A. Visaggio, and M. Di Penta. A heuristic-based approach for detecting sql-injection vulnerabilities in web applications. In Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS '10, pages 43-49, New York, NY, USA, 2010. ACM.
Y. Demchenko, L. Gommans, C. de Laat, and B. Oudenaarde. Web services and grid security vulnerabilities and threats analysis and model. In The 6th IEEE/ACM International Workshop on Grid Computing. IEEE, 2005.
A. Falkenberg, C. Mainka, J. Somorovsky, and J. Schwenk. A new approach towards dos penetration testing on web services. In Web Services (ICWS), 2013 IEEE 20th International Conference on, pages 491-498, June 2013.
X. Fu and K. Qian. Safeli: Sql injection scanner using symbolic execution. In Proceedings of the 2008 Workshop on Testing, Analysis, and Verification of Web Services and Applications, TAV-WEB '08, pages 34-39, New York, NY, USA, 2008. ACM.
A. N. Gupta and D. P. S. Thilagam. Attacks on web services need to secure xml on web. Computer Science and Engineering, An International Journal (CSEIJ), 3(5), 2013.
N. Havrikov, M. Höschele, J. P. Galeotti, and A. Zeller. Xmlmate: Evolutionary xml test generation. In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2014, pages 719-722, New York, NY, USA, 2014. ACM.
S. Jan, C. Nguyen, and L. Briand. Known xml vulnerabilities are still a threat to popular parsers and open source systems. In Software Quality, Reliability and Security (QRS), 2015 IEEE International Conference on, pages 233-241, Aug 2015.
A. Kieyzun, P. Guo, K. Jayaraman, and M. Ernst. Automatic creation of sql injection and cross-site scripting attacks. In Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on, pages 199-209, May 2009.
A. Kiezun. Effective software testing with a string-constraint solver. PhD thesis, Massachusetts Institute of Technolog, 2009.
A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. Hampi: A solver for string constraints. In Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, ISSTA '09, pages 105-116, New York, NY, USA, 2009. ACM.
J. Offutt and W. Xu. Generating test cases for web services using data perturbation. SIGSOFT Softw. Eng. Notes, 29(5):1-10, Sept. 2004.
V. Patel, R. Mohandas, and A. R. Pais. Attacks on web services and mitigation schemes. In Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on, pages 1-6, July 2010.
T. Rosa, A. Santin, and A. Malucelli. Mitigating xml injection 0-day attacks through strategy-based detection systems. Security Privacy, IEEE, 11(4):46-53, July 2013.
B. Smith, L. Williams, and A. Austin. Idea: Using system level testing for revealing sql injection-related error message information leaks. In F. Massacci, D. Wallach, and N. Zannone, editors, Engineering Secure Software and Systems, volume 5965 of Lecture Notes in Computer Science, pages 192-200. Springer Berlin Heidelberg, 2010.
S. Suriadi, A. Clark, and D. Schmidt. Validating denial of service vulnerabilities in web services. In Network and System Security (NSS), 2010 4th International Conference on, pages 175-182, Sept 2010.
S. Tiwari and P. Singh. Survey of potential attacks on web services and web service compositions. In Electronics Computer Technology (ICECT), 2011 3rd International Conference on, volume 2, pages 47-51, April 2011.
M. Vieira, N. Antunes, and H. Madeira. Using web security scanners to detect vulnerabilities in web services. In Dependable Systems Networks, 2009. DSN '09. IEEE/IFIP International Conference on, pages 566-571, June 2009.
W. Xu, J. Offutt, and J. Luo. Testing web services by xml perturbation. In Software Reliability Engineering, 2005. ISSRE 2005. 16th IEEE International Symposium on, pages 10 pp.-266, Nov 2005.
X. Ye. Countering ddos and xdos attacks against web services. In Embedded and Ubiquitous Computing, 2008. EUC '08. IEEE/IFIP International Conference on, volume 1, pages 346-352, Dec 2008.
Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A z3-based string solver for web application analysis. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2013, pages 114-124, New York, NY, USA, 2013. ACM.
H. Zhu and Y. Zhang. Collaborative testing of web services. Services Computing, IEEE Transactions on, 5(1):116-130, Jan 2012.