Uma abordagem de Caixa-Preta para Detectar Vulnerabilidades em Serviços Web Usando Testes de Penetração (A Black-Box Approach to Detect Vulnerabilities in Web Services Using Penetration Testing)

Marcelo Invert Palma Salas (marcelopalma@ic.unicamp.br), Eliane Martins (eliane@ic.unicamp.br)


Universidade Estadual de Campinas
This paper appears in: Revista IEEE América Latina

Publication Date: March 2015
Volume: 13,   Issue: 3 
ISSN: 1548-0992


Abstract:
Web services work over dynamic connections among distributed systems. This technology was specifically designed to easily pass SOAP message through firewalls using open ports. These benefits involve a number of security challenges, such as Injection Attacks, phishing, Denial-of-Services (DoS) attacks, and so on. The difficulty to detect vulnerabilities,before they are exploited, encourages developers to use security testing like penetration testing to reduce the potential attacks. Given a black-box approach, this research use the penetration testing to emulate a series of attacks, such as Cross-site Scripting (XSS), Fuzzing Scan, Invalid Types, Malformed XML, SQL Injection, XPath Injection and XML Bomb. In this way, was used the soapUI vulnerability scanner in order to emulate these attacks and insert malicious scripts in the requests of the web services tested. Furthermore, was developed a set of rules to analyze the responses in order to reduce false positives and negatives. The results suggest that 97.1% of web services have at least one vulnerability of these attacks. We also determined a ranking of these attacks against web services.

Index Terms:
web services, penetration testing, Cross-site Scripting, XSS, SQL Injection, XPath Injection, Fuzzing Scan, Invalid Types, Malformed XML, XML Bomb   


Documents that cite this document
This function is not implemented yet.


[PDF Full-Text (467)]