SlideShare a Scribd company logo

A Validation Model of Data Input for Web Services

Rafael Brinhosa
Rafael Brinhosa
Software
1 of 28
Download to read offline
A Validation Model of Data Input for Web Services Rafael B. Brinhosa, Carla M. Westphall, Carlos B. Westphall, Daniel R. dos Santos, Fábio Grezele The Twelfth International Conference on Networks - ICN 2013 January 27 - February 1, 2013 - Seville, Spain Westphall, Daniel R. dos Santos, Fábio Grezele Post Graduation Program in Computer Science Federal University of Santa Catarina { brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br 1
Content at a GlanceContent at a Glance • Introduction and Related Works • Security Issues in Web Services • A Validation Model of Data Input for Web Service (WSIVM)Service (WSIVM) • Implementation Results – Development – Case Study • Conclusions and Future Works 2
• SOA is based on web services but there are security related concerns • The lack of proper input validation is a major cause of data breaches and Web application attacks IntroductionIntroduction • Application attacks: SQL injection and cross-site scripting (XSS) Web Services Input Validation Model: an XML schema, an XML specification and a module for performing input validation according to the schema 3
IntroductionIntroduction –– Web ServicesWeb Services Find Web services which meet certain requirements (Universal Description, Discovery and Integration) Services describe their own properties and methodsproperties and methods (Web Services Description Language) Format of requests(client) and responses (server) (Simple Object Access Protocol) Message transfer protocol (Hypertext Transfer Protocol) 4
IntroductionIntroduction –– Web ServicesWeb Services Figure available from: http://gdp.globus.org/gt4-tutorial 5
Related WorkRelated Work • Lack of input validation is a major cause of Web application attacks – SANS, 2011: The Top Cyber Security Risks – OWASP 2010: OWASP top 10 Web application security risks – [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo– [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo vadis? A study of the evolution of input validation vulnerabilities in Web applications” • Few specific mechanisms for Web Services • [N. A. Nordbotten, 2009] [L. Sun and Y. Li, 2008] use XML security technologies (encryption) 6
Related WorkRelated Work • WS-Security Wrapper: is an intermediate between the Web service and the client; is an adapter program that converts plain XML exchanges to and from SOAP with WS-Security (XML signature and encryption). It does not include features such as validation of predefined data entries • [J. Lin and J. Chen, 2009]• [J. Lin and J. Chen, 2009] – Collects web pages (crawler), identify weak points and test them – insert the input validation (meta-programs) on the server side, acting as a web application firewall – many false positives with blacklist approach 7
Related WorkRelated Work • IAPF (Integrated Application and Protocol Framework) [N. Sidharth and J. Liu, 2007]: – Protection in UDDI, WSDL, SOAP (WS-Sec) • XML firewall: – [A. Blyth, 2009] is concerned with validation of– [A. Blyth, 2009] is concerned with validation of the structure of XML content but not the content itself – [Y. Loh, W. Yau, C. Wong, and W. Ho, 2006] mentions protection against SQL injection through an XML schema and a precompiled blacklist of SQL commands, an approach which tends to produce many false positives 8
• WSDL scanning: to reveal sensitive information about invocation patterns, underlying technology implementations • Serious and important data manipulation attacks: SQL injection and XSS • Normal firewalls, antivirus and using WS-Security Security Issues in Web ServicesSecurity Issues in Web Services • Normal firewalls, antivirus and using WS-Security standards are not able to protect web services against SQL injection and XSS attacks 9
Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK ApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request SQL query DB TableHTTP response "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 Account: SKU: Account: SKU: SQL InjectionSQL Injection –– IllustratedIllustrated Firewall Hardened OS Web Server App Server Firewall NetworkLayer 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 10
• SQL Injection: by sending SOAP requests with properly handled parameters, for example, “'"1=1 –” as a parameter for a particular service Security Issues in Web ServicesSecurity Issues in Web Services ERROR: The query was not accomplished. Description: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server versionmanual that corresponds to your MySQL server version for the right syntax to use near '1=1'' at line 1 Line 11: Incorrect syntax near '')) or ItemId in (select ItemId from dbo.GetItemParents('4''. Unclosed quotation mark before the character string ')) ) ) > 0 ‘ 11
Heartland Payment SystemsHeartland Payment Systems 12Available from: http://www.databreaches.net/?p=7691
Heartland Payment SystemsHeartland Payment Systems Available from: http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf 13
CrossCross--Site Scripting IllustratedSite Scripting Illustrated Application with stored XSS vulnerability Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Administration Transactions Communication Knowledge Commerce Bus.Functions 3 2 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the DOM and cookies Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 14
• XSS: by presenting unvalidated data directly to the user, Web services can be attacked. Using, for example, the command document.write(xmlhttp.responseText), if the answer to this AJAX (Asynchronous JavaScript and XML) call made to a Web service contains HTML Security Issues in Web ServicesSecurity Issues in Web Services XML) call made to a Web service contains HTML and JavaScript data, these data will be interpreted and executed, posing a risk to the user 15
• Validate input data to provide security for Web Services. Controls on the lexical and syntactic aspects, type checking • Best way to avoid attacks: whitelist input validation (sanitization - change input into an acceptable format) WSIVMWSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model 16
WSIVMWSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model 17
WSIVMWSIVM –– DevelopmentDevelopment • Apache Tomcat Web server • Apache Axis2 framework for SOAP messages • To implement the validation module for Apache Axis2 the Rampart module was used • It was chosen to intercept the message in the phase PreDispatchphase PreDispatch • WSIVMXMLSchema, WSIVMXMLSpecification, and WSIVM Rampart module 18
OperationName: the name of the operation SanitizeOperation: defines whether the parameters of this operation can be reformulated if necessary for the removal of characters that are not accepted ParamName: the name of the parameter or field Allowed: an allowed field type, which is valid (text, html, html+java-script, email, number, and all) WSIVMWSIVM –– WSIVMXMLSpecificationWSIVMXMLSpecification html+java-script, email, number, and all) Length: specifies the exact size of the field Maxsize: specifies the maximum field size Minsize: specifies the minimum field size Nillable: determines whether or not it is possible that the field is null (true or false) regEx: allows a regular expression to be specified for validation 19
Case StudyCase Study • Case Study: Client Application + Web Service • UniversityManager web service: – searchStudent receives a registration number (ID) and returns the student record containing a String with his or her information – registerStudent operation receives the– registerStudent operation receives the information, which must not contain HTML or Javascript code, and registers it on the MySQL database. In the database a student’s table is created: ID, name, age, email, comment, site, and birthday 20
WSIVMXMLSpecification WSIVMXMLSpecification–UniversityManager <?xml version="1.0" encoding="UTF-8"?> <valid_inputs_specification mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" WebServiceID=“UniversityManager" xsi:noNamespaceSchemaLocation="valid_inputs_specification.xsd"> <operation name="registerStudent "> <input name="name" type="String" min="5" max="20" accept="text" sanitize="true"/> <input name="age" type="Integer" min="0" max="150" accept="number" sanitize="true"/> <input name="email" type="String" min="0" max="200" accept="email" sanitize="true"/><input name="email" type="String" min="0" max="200" accept="email" sanitize="true"/> <input name="comment" type="String" min="0" max="200" accept="text" sanitize="true"/> <input name="site" type="String" min="0" max="300" accept="url" sanitize="true"/> <input name="data" type="String" min="0" max="200" accept="regex" regexpattern= "(d{4})-(d{2})-(d{2})" sanitize="true"/> </operation> <operation name="searchStudent "> <input name="id" type="Integer" min="0" max="10000" accept="number" sanitize="true"/> </operation> </valid_inputs_specification> 21
Case StudyCase Study -- ResultsResults • Experiments: – With and without WSIVM – 150 users – The test runs for 300 seconds – soapUi: direct calls to the web service <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:univ="http://university.wsivm.example">xmlns:univ="http://university.wsivm.example"> <soap:Header/><soap:Body> <univ:registerStudent> <univ:name>John</univ: name > <univ:age>12</univ: age > <univ:email>john@hsj.com</univ:email> <univ:comment>Passed</univ: comment > <univ:site>http://www.univ.com</univ:site> <univ:birthday>1980-09-12</univ: birthday > </univ: registerStudent > </soap:Body></soap:Envelope> 22
ComparisonComparison Min.Min. TimeTime Without WSIVM 35 ms Max.Max. TimeTime 27848 ms Case StudyCase Study -- ResultsResults AvgAvg.. TimeTime 2494,85 ms TransferredTransferred BytesBytes 1974195 B B/sB/s 6506 B/s InsertionsInsertions In DBIn DB 10078 With WSIVM 64 ms Total 83 % 13346 ms - 52 % 4541,24 ms 82 % 1236330 B - 37 % 4012 B/s - 38 % 5134 - 49 % 23
ConclusionsConclusions • Reusable and independent mechanism for data entry validation, regardless of the implementation of the web service • Based on the white list approach (reduction in false positives) – More reliable than the blacklist. If a blacklist is– More reliable than the blacklist. If a blacklist is created based on the current version of HTML, in the case of new versions, this list may no longer be considered valid – The number of false positives or false negatives will depend on the WSIVM XML Specification defined 24
ConclusionsConclusions – The framework provides the specification to be customized according to the Web Service requirements and needs • Prevention of data injection attacks in Web services and the waste of server processing with invalid messagesinvalid messages • Reduces the possibility of denial of service using content of messages • Negative impact on the performance of the developed Web service but reduces the possibility of inserting invalid data • Solution for legacy applications reducing development costs 25
• Optimization of the implementation to improve the performance of the proposed model • Development of a semi-automatic generator of security specifications from WSDL • Verification of SOAP messages and paths in XPath format Future WorkFuture Work format • Use of artificial intelligence or an anomaly detection system • Making a feedback loop filter validation of invalid entries 26
Some ReferencesSome References 1. OWASP Top Ten - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 2. T. Scholte, D. Balzarotti, and E. Kirda, “Quo vadis? A study of the evolution of input validation vulnerabilities in Web applications,” in Proc. Int. Conference on Financial Cryptography and Data Security '11, St. Lucia, 2011. 3. N. A. Nordbotten, “XML and Web services security standards,” Communications Surveys & Tutorials, IEEE, vol. 11, no. 3, pp. 4–21, 2009. 4. L. Sun and Y. Li, “XML and Web services security,” in Proc. 12th Int. Conf. Computer Supported Cooperative Work in Design, CSCWD 2008, April 16–18, pp. 765–770. 5. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int. Computer Software and Applications Conf., 2007, COMPSAC 2007, Jul. 24–27, vol. 1, pp. 23–30. 6. WS-Security Wrapper - http://wsswrapper.sourceforge.net/ 7. J. Lin and J. Chen, “An automated mechanism for secure input handling,” Journal of Computers, vol.7. J. Lin and J. Chen, “An automated mechanism for secure input handling,” Journal of Computers, vol. 4, no. 9, pp. 837–844, 2009. 8. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int. COMPSAC 2007, Jul. 24–27, vol. 1, pp. 23–30. 9. A. Blyth, “An architecture for an XML enabled firewall,” International Journal of Network Security, vol. 8, no. 1, pp. 31–36, 2009, ISSN 1816–3548. 10. Y. Loh, W. Yau, C. Wong, and W. Ho, “Design and implementation of an XML firewall,” in Proc. 2006 Int. Conf. Computational Intelligence and Security, Nov. 3–6, vol. 2, pp. 1147–1150. 11. CWE/SANS TOP 25 Most Dangerous Software Errors - http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf 12. R. Wu and M. Hisada, “SOA Web Security and Applications”, Technology, vol. 9, no. 2, p. 163-177, 2010. 13. T. Scholte, W. Robertson, D. Balzarotti, E. Kirda, "Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis," in Proc. 2012 IEEE 36th Annual COMPSAC 2012 , pp.233- 243, July 2012. 27
Thank you!Thank you! Rafael B. Brinhosa, Carla M. Westphall, Carlos B. Westphall, Daniel R. dos Santos, Fábio Grezele { brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br 28

Recommended

Manipulating Web App Interfaces: a new approach to input validation testing
Manipulating Web App Interfaces: a new approach to input validation testingManipulating Web App Interfaces: a new approach to input validation testing
Manipulating Web App Interfaces: a new approach to input validation testingFelipe M
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Vladimir Bacvanski, PhD
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL InjectionBlueinfy Solutions
 
Restful webservices
Restful webservicesRestful webservices
Restful webservicesLuqman Shareef
 
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedDhananjay Nene
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)David Krmpotic
 

Recommended

Manipulating Web App Interfaces: a new approach to input validation testing
Manipulating Web App Interfaces: a new approach to input validation testingManipulating Web App Interfaces: a new approach to input validation testing
Manipulating Web App Interfaces: a new approach to input validation testingFelipe M
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams SecurityBlueinfy Solutions
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Web 2.0 Development with IBM DB2
Web 2.0 Development with IBM DB2Vladimir Bacvanski, PhD
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL InjectionBlueinfy Solutions
 
Restful webservices
Restful webservicesRestful webservices
Restful webservicesLuqman Shareef
 
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedDhananjay Nene
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)David Krmpotic
 
Mule webservices in detail
Mule webservices in detailMule webservices in detail
Mule webservices in detailShahid Shaik
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...BizTalk360
 
Web Programming
Web ProgrammingWeb Programming
Web ProgrammingVijayapriyaP1
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web ServicesHalil Burak Cetinkaya
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsIdo Flatow
 
Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Vinod Wilson
 
Ajax
AjaxAjax
Ajaxvantinhkhuc
 
REST Presentation
REST PresentationREST Presentation
REST PresentationAlexandros Marinos
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIPankaj Bajaj
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
The Rest Architectural Style
The Rest Architectural StyleThe Rest Architectural Style
The Rest Architectural StyleRobert Wilson
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State TransferPeter R. Egli
 
JSON and REST
JSON and RESTJSON and REST
JSON and RESTRobert MacLean
 
Using Java to implement SOAP Web Services: JAX-WS
Using Java to implement SOAP Web Services: JAX-WS�Using Java to implement SOAP Web Services: JAX-WS�
Using Java to implement SOAP Web Services: JAX-WSKatrien Verbert
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIEyal Vardi
 
Web services - REST and SOAP
Web services - REST and SOAPWeb services - REST and SOAP
Web services - REST and SOAPCompare Infobase Limited
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services pptOECLIB Odisha Electronics Control Library
 
Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Software performance testing_overview
Software performance testing_overviewSoftware performance testing_overview
Software performance testing_overviewRohan Bhattarai
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application InterfacesFelipe M
 
Service worker - Offline Web
Service worker - Offline WebService worker - Offline Web
Service worker - Offline WebBruno Oliveira
 

More Related Content

What's hot

Mule webservices in detail
Mule webservices in detailMule webservices in detail
Mule webservices in detailShahid Shaik
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...BizTalk360
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsIdo Flatow
 
Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Vinod Wilson
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIPankaj Bajaj
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
The Rest Architectural Style
The Rest Architectural StyleThe Rest Architectural Style
The Rest Architectural StyleRobert Wilson
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State TransferPeter R. Egli
 
Using Java to implement SOAP Web Services: JAX-WS
Using Java to implement SOAP Web Services: JAX-WS�Using Java to implement SOAP Web Services: JAX-WS�
Using Java to implement SOAP Web Services: JAX-WSKatrien Verbert
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIEyal Vardi
 
Software performance testing_overview
Software performance testing_overviewSoftware performance testing_overview
Software performance testing_overviewRohan Bhattarai
 

What's hot (20)

Mule webservices in detail
Mule webservices in detailMule webservices in detail
Mule webservices in detail
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
 
Web Programming
Web ProgrammingWeb Programming
Web Programming
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
ASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP FundamentalsASP.NET Web API and HTTP Fundamentals
ASP.NET Web API and HTTP Fundamentals
 
Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1Representational state transfer (rest) architectural style1.1
Representational state transfer (rest) architectural style1.1
 
Ajax
AjaxAjax
Ajax
 
REST Presentation
REST PresentationREST Presentation
REST Presentation
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
The Rest Architectural Style
The Rest Architectural StyleThe Rest Architectural Style
The Rest Architectural Style
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
 
JSON and REST
JSON and RESTJSON and REST
JSON and REST
 
Using Java to implement SOAP Web Services: JAX-WS
Using Java to implement SOAP Web Services: JAX-WS�Using Java to implement SOAP Web Services: JAX-WS�
Using Java to implement SOAP Web Services: JAX-WS
 
The Full Power of ASP.NET Web API
The Full Power of ASP.NET Web APIThe Full Power of ASP.NET Web API
The Full Power of ASP.NET Web API
 
Web services - REST and SOAP
Web services - REST and SOAPWeb services - REST and SOAP
Web services - REST and SOAP
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services ppt
 
Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)Unit 02: Web Technologies (1/2)
Unit 02: Web Technologies (1/2)
 
Software performance testing_overview
Software performance testing_overviewSoftware performance testing_overview
Software performance testing_overview
 

Viewers also liked

Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application InterfacesFelipe M
 
Service worker - Offline Web
Service worker - Offline WebService worker - Offline Web
Service worker - Offline WebBruno Oliveira
 
Progressive Web Apps
Progressive Web AppsProgressive Web Apps
Progressive Web AppsToninho Sousa
 
Offline Web com Service Workers - Sérgio Lopes
Offline Web com Service Workers - Sérgio LopesOffline Web com Service Workers - Sérgio Lopes
Offline Web com Service Workers - Sérgio LopesCaelum
 
Material design para web
Material design para webMaterial design para web
Material design para webAugusto Sandim
 
Progressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NET
Progressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NETProgressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NET
Progressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NETAndre Baltieri
 
ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário
ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário
ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário Osmar Petry
 
Progressive Web Apps: o melhor da Web appficada
Progressive Web Apps: o melhor da Web appficadaProgressive Web Apps: o melhor da Web appficada
Progressive Web Apps: o melhor da Web appficadaCaelum
 

Viewers also liked (9)

Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
 
Service worker - Offline Web
Service worker - Offline WebService worker - Offline Web
Service worker - Offline Web
 
Progressive Web Apps
Progressive Web AppsProgressive Web Apps
Progressive Web Apps
 
Boas práticas de API Design
Boas práticas de API DesignBoas práticas de API Design
Boas práticas de API Design
 
Offline Web com Service Workers - Sérgio Lopes
Offline Web com Service Workers - Sérgio LopesOffline Web com Service Workers - Sérgio Lopes
Offline Web com Service Workers - Sérgio Lopes
 
Material design para web
Material design para webMaterial design para web
Material design para web
 
Progressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NET
Progressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NETProgressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NET
Progressive Web Apps e o futuro do desenvolvimento Web na Plataforma .NET
 
ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário
ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário
ASP .NET CORE, Angular 2, e Typescript com Scaffolding Yeoman | Seminário
 
Progressive Web Apps: o melhor da Web appficada
Progressive Web Apps: o melhor da Web appficadaProgressive Web Apps: o melhor da Web appficada
Progressive Web Apps: o melhor da Web appficada
 

Similar to A Validation Model of Data Input for Web Services

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Maya_Kamentcev_fullVersion_2016.docx
Maya_Kamentcev_fullVersion_2016.docxMaya_Kamentcev_fullVersion_2016.docx
Maya_Kamentcev_fullVersion_2016.docxMaya Kamentcev
 
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web ApplicationsPXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applicationsijwscjournal
 
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web ApplicationsPXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applicationsijwscjournal
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSIRJET Journal
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacks
Algorithm for Securing SOAP Based Web Services from WSDL Scanning AttacksAlgorithm for Securing SOAP Based Web Services from WSDL Scanning Attacks
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacksiosrjce
 

Similar to A Validation Model of Data Input for Web Services (20)

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
A26001006
A26001006A26001006
A26001006
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Maya_Kamentcev_fullVersion_2016.docx
Maya_Kamentcev_fullVersion_2016.docxMaya_Kamentcev_fullVersion_2016.docx
Maya_Kamentcev_fullVersion_2016.docx
 
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web ApplicationsPXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
 
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web ApplicationsPXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications
 
A.S.Sivaprakash
A.S.SivaprakashA.S.Sivaprakash
A.S.Sivaprakash
 
ScottSalyards
ScottSalyardsScottSalyards
ScottSalyards
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
F017353539
F017353539F017353539
F017353539
 
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacks
Algorithm for Securing SOAP Based Web Services from WSDL Scanning AttacksAlgorithm for Securing SOAP Based Web Services from WSDL Scanning Attacks
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacks
 
Web Security
Web SecurityWeb Security
Web Security
 

Recently uploaded

Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 

Recently uploaded (20)

Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 

A Validation Model of Data Input for Web Services

  • 1. A Validation Model of Data Input for Web Services Rafael B. Brinhosa, Carla M. Westphall, Carlos B. Westphall, Daniel R. dos Santos, Fábio Grezele The Twelfth International Conference on Networks - ICN 2013 January 27 - February 1, 2013 - Seville, Spain Westphall, Daniel R. dos Santos, Fábio Grezele Post Graduation Program in Computer Science Federal University of Santa Catarina { brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br 1
  • 2. Content at a GlanceContent at a Glance • Introduction and Related Works • Security Issues in Web Services • A Validation Model of Data Input for Web Service (WSIVM)Service (WSIVM) • Implementation Results – Development – Case Study • Conclusions and Future Works 2
  • 3. • SOA is based on web services but there are security related concerns • The lack of proper input validation is a major cause of data breaches and Web application attacks IntroductionIntroduction • Application attacks: SQL injection and cross-site scripting (XSS) Web Services Input Validation Model: an XML schema, an XML specification and a module for performing input validation according to the schema 3
  • 4. IntroductionIntroduction –– Web ServicesWeb Services Find Web services which meet certain requirements (Universal Description, Discovery and Integration) Services describe their own properties and methodsproperties and methods (Web Services Description Language) Format of requests(client) and responses (server) (Simple Object Access Protocol) Message transfer protocol (Hypertext Transfer Protocol) 4
  • 5. IntroductionIntroduction –– Web ServicesWeb Services Figure available from: http://gdp.globus.org/gt4-tutorial 5
  • 6. Related WorkRelated Work • Lack of input validation is a major cause of Web application attacks – SANS, 2011: The Top Cyber Security Risks – OWASP 2010: OWASP top 10 Web application security risks – [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo– [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo vadis? A study of the evolution of input validation vulnerabilities in Web applications” • Few specific mechanisms for Web Services • [N. A. Nordbotten, 2009] [L. Sun and Y. Li, 2008] use XML security technologies (encryption) 6
  • 7. Related WorkRelated Work • WS-Security Wrapper: is an intermediate between the Web service and the client; is an adapter program that converts plain XML exchanges to and from SOAP with WS-Security (XML signature and encryption). It does not include features such as validation of predefined data entries • [J. Lin and J. Chen, 2009]• [J. Lin and J. Chen, 2009] – Collects web pages (crawler), identify weak points and test them – insert the input validation (meta-programs) on the server side, acting as a web application firewall – many false positives with blacklist approach 7
  • 8. Related WorkRelated Work • IAPF (Integrated Application and Protocol Framework) [N. Sidharth and J. Liu, 2007]: – Protection in UDDI, WSDL, SOAP (WS-Sec) • XML firewall: – [A. Blyth, 2009] is concerned with validation of– [A. Blyth, 2009] is concerned with validation of the structure of XML content but not the content itself – [Y. Loh, W. Yau, C. Wong, and W. Ho, 2006] mentions protection against SQL injection through an XML schema and a precompiled blacklist of SQL commands, an approach which tends to produce many false positives 8
  • 9. • WSDL scanning: to reveal sensitive information about invocation patterns, underlying technology implementations • Serious and important data manipulation attacks: SQL injection and XSS • Normal firewalls, antivirus and using WS-Security Security Issues in Web ServicesSecurity Issues in Web Services • Normal firewalls, antivirus and using WS-Security standards are not able to protect web services against SQL injection and XSS attacks 9
  • 10. Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK ApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request SQL query DB TableHTTP response "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 Account: SKU: Account: SKU: SQL InjectionSQL Injection –– IllustratedIllustrated Firewall Hardened OS Web Server App Server Firewall NetworkLayer 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 10
  • 11. • SQL Injection: by sending SOAP requests with properly handled parameters, for example, “'"1=1 –” as a parameter for a particular service Security Issues in Web ServicesSecurity Issues in Web Services ERROR: The query was not accomplished. Description: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server versionmanual that corresponds to your MySQL server version for the right syntax to use near '1=1'' at line 1 Line 11: Incorrect syntax near '')) or ItemId in (select ItemId from dbo.GetItemParents('4''. Unclosed quotation mark before the character string ')) ) ) > 0 ‘ 11
  • 12. Heartland Payment SystemsHeartland Payment Systems 12Available from: http://www.databreaches.net/?p=7691
  • 13. Heartland Payment SystemsHeartland Payment Systems Available from: http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf 13
  • 14. CrossCross--Site Scripting IllustratedSite Scripting Illustrated Application with stored XSS vulnerability Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Administration Transactions Communication Knowledge Commerce Bus.Functions 3 2 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the DOM and cookies Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 14
  • 15. • XSS: by presenting unvalidated data directly to the user, Web services can be attacked. Using, for example, the command document.write(xmlhttp.responseText), if the answer to this AJAX (Asynchronous JavaScript and XML) call made to a Web service contains HTML Security Issues in Web ServicesSecurity Issues in Web Services XML) call made to a Web service contains HTML and JavaScript data, these data will be interpreted and executed, posing a risk to the user 15
  • 16. • Validate input data to provide security for Web Services. Controls on the lexical and syntactic aspects, type checking • Best way to avoid attacks: whitelist input validation (sanitization - change input into an acceptable format) WSIVMWSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model 16
  • 17. WSIVMWSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model 17
  • 18. WSIVMWSIVM –– DevelopmentDevelopment • Apache Tomcat Web server • Apache Axis2 framework for SOAP messages • To implement the validation module for Apache Axis2 the Rampart module was used • It was chosen to intercept the message in the phase PreDispatchphase PreDispatch • WSIVMXMLSchema, WSIVMXMLSpecification, and WSIVM Rampart module 18
  • 19. OperationName: the name of the operation SanitizeOperation: defines whether the parameters of this operation can be reformulated if necessary for the removal of characters that are not accepted ParamName: the name of the parameter or field Allowed: an allowed field type, which is valid (text, html, html+java-script, email, number, and all) WSIVMWSIVM –– WSIVMXMLSpecificationWSIVMXMLSpecification html+java-script, email, number, and all) Length: specifies the exact size of the field Maxsize: specifies the maximum field size Minsize: specifies the minimum field size Nillable: determines whether or not it is possible that the field is null (true or false) regEx: allows a regular expression to be specified for validation 19
  • 20. Case StudyCase Study • Case Study: Client Application + Web Service • UniversityManager web service: – searchStudent receives a registration number (ID) and returns the student record containing a String with his or her information – registerStudent operation receives the– registerStudent operation receives the information, which must not contain HTML or Javascript code, and registers it on the MySQL database. In the database a student’s table is created: ID, name, age, email, comment, site, and birthday 20
  • 21. WSIVMXMLSpecification WSIVMXMLSpecification–UniversityManager <?xml version="1.0" encoding="UTF-8"?> <valid_inputs_specification mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" WebServiceID=“UniversityManager" xsi:noNamespaceSchemaLocation="valid_inputs_specification.xsd"> <operation name="registerStudent "> <input name="name" type="String" min="5" max="20" accept="text" sanitize="true"/> <input name="age" type="Integer" min="0" max="150" accept="number" sanitize="true"/> <input name="email" type="String" min="0" max="200" accept="email" sanitize="true"/><input name="email" type="String" min="0" max="200" accept="email" sanitize="true"/> <input name="comment" type="String" min="0" max="200" accept="text" sanitize="true"/> <input name="site" type="String" min="0" max="300" accept="url" sanitize="true"/> <input name="data" type="String" min="0" max="200" accept="regex" regexpattern= "(d{4})-(d{2})-(d{2})" sanitize="true"/> </operation> <operation name="searchStudent "> <input name="id" type="Integer" min="0" max="10000" accept="number" sanitize="true"/> </operation> </valid_inputs_specification> 21
  • 22. Case StudyCase Study -- ResultsResults • Experiments: – With and without WSIVM – 150 users – The test runs for 300 seconds – soapUi: direct calls to the web service <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:univ="http://university.wsivm.example">xmlns:univ="http://university.wsivm.example"> <soap:Header/><soap:Body> <univ:registerStudent> <univ:name>John</univ: name > <univ:age>12</univ: age > <univ:email>john@hsj.com</univ:email> <univ:comment>Passed</univ: comment > <univ:site>http://www.univ.com</univ:site> <univ:birthday>1980-09-12</univ: birthday > </univ: registerStudent > </soap:Body></soap:Envelope> 22
  • 23. ComparisonComparison Min.Min. TimeTime Without WSIVM 35 ms Max.Max. TimeTime 27848 ms Case StudyCase Study -- ResultsResults AvgAvg.. TimeTime 2494,85 ms TransferredTransferred BytesBytes 1974195 B B/sB/s 6506 B/s InsertionsInsertions In DBIn DB 10078 With WSIVM 64 ms Total 83 % 13346 ms - 52 % 4541,24 ms 82 % 1236330 B - 37 % 4012 B/s - 38 % 5134 - 49 % 23
  • 24. ConclusionsConclusions • Reusable and independent mechanism for data entry validation, regardless of the implementation of the web service • Based on the white list approach (reduction in false positives) – More reliable than the blacklist. If a blacklist is– More reliable than the blacklist. If a blacklist is created based on the current version of HTML, in the case of new versions, this list may no longer be considered valid – The number of false positives or false negatives will depend on the WSIVM XML Specification defined 24
  • 25. ConclusionsConclusions – The framework provides the specification to be customized according to the Web Service requirements and needs • Prevention of data injection attacks in Web services and the waste of server processing with invalid messagesinvalid messages • Reduces the possibility of denial of service using content of messages • Negative impact on the performance of the developed Web service but reduces the possibility of inserting invalid data • Solution for legacy applications reducing development costs 25
  • 26. • Optimization of the implementation to improve the performance of the proposed model • Development of a semi-automatic generator of security specifications from WSDL • Verification of SOAP messages and paths in XPath format Future WorkFuture Work format • Use of artificial intelligence or an anomaly detection system • Making a feedback loop filter validation of invalid entries 26
  • 27. Some ReferencesSome References 1. OWASP Top Ten - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 2. T. Scholte, D. Balzarotti, and E. Kirda, “Quo vadis? A study of the evolution of input validation vulnerabilities in Web applications,” in Proc. Int. Conference on Financial Cryptography and Data Security '11, St. Lucia, 2011. 3. N. A. Nordbotten, “XML and Web services security standards,” Communications Surveys & Tutorials, IEEE, vol. 11, no. 3, pp. 4–21, 2009. 4. L. Sun and Y. Li, “XML and Web services security,” in Proc. 12th Int. Conf. Computer Supported Cooperative Work in Design, CSCWD 2008, April 16–18, pp. 765–770. 5. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int. Computer Software and Applications Conf., 2007, COMPSAC 2007, Jul. 24–27, vol. 1, pp. 23–30. 6. WS-Security Wrapper - http://wsswrapper.sourceforge.net/ 7. J. Lin and J. Chen, “An automated mechanism for secure input handling,” Journal of Computers, vol.7. J. Lin and J. Chen, “An automated mechanism for secure input handling,” Journal of Computers, vol. 4, no. 9, pp. 837–844, 2009. 8. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int. COMPSAC 2007, Jul. 24–27, vol. 1, pp. 23–30. 9. A. Blyth, “An architecture for an XML enabled firewall,” International Journal of Network Security, vol. 8, no. 1, pp. 31–36, 2009, ISSN 1816–3548. 10. Y. Loh, W. Yau, C. Wong, and W. Ho, “Design and implementation of an XML firewall,” in Proc. 2006 Int. Conf. Computational Intelligence and Security, Nov. 3–6, vol. 2, pp. 1147–1150. 11. CWE/SANS TOP 25 Most Dangerous Software Errors - http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf 12. R. Wu and M. Hisada, “SOA Web Security and Applications”, Technology, vol. 9, no. 2, p. 163-177, 2010. 13. T. Scholte, W. Robertson, D. Balzarotti, E. Kirda, "Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis," in Proc. 2012 IEEE 36th Annual COMPSAC 2012 , pp.233- 243, July 2012. 27
  • 28. Thank you!Thank you! Rafael B. Brinhosa, Carla M. Westphall, Carlos B. Westphall, Daniel R. dos Santos, Fábio Grezele { brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br 28