Emulação de Ataques do Tipo XPath Injection para Testes de Web Services usando Injeção de Falhas
Abstract
This article describes the use of a fault injector to emulate XPath Injection attacks for security testing of Web Services. XPath Injection is a kind of injection attacks, one of the most exploited by attackers, and its consequences are harmful when well succeeded. One of the standards to ensure security in the context of Web Services is the WS-Security (WSS), which, among other mechanisms, uses Security Tokens for access control to messages exchanged between services. The results showed that the use of this mechanism improves the detection of XPath injection, but is still not enough to ensure 100% protection against this type of attack.
References
Ana, C. V. de Melo; Silveira, P.; “Improving data perturbation testing techniques for Web services”; Inf. Sci. 181, 3 (February 2011), 600-619.
Antunes, N.; Vieira, M.; "Detecting SQL Injection Vulnerabilities in Web Services". Dependable Computing, 2009.LADC '09. Fourth Latin-American Symposium 2009.
Arlat, J.; Aguera, M.; Amat, L.; Crouzet, Y.; Fabre, J-C.; Laprie, J-C, Martins, E. "Fault injection for dependability validation: a methodology and some applications", 1990.
Avizienis, A.; Laprie, J-C.; Randell, B.; “Dependability and Ist Threats: A Taxonomy”; in: Jacquart, R.l eds.; Proceedings of the IFIP 18 th World Computer Congress; 2004.
Cachin, C.; Camenisch, J.; “Malicious and Accidental-Fault Tolerance in Internet Applications: Reference Model and Use Cases”, LAAS, MAFTIA, 2000.
Eastlake, D.; Reagle, J.; Imamura, T.; Dillaway, B.; Simon, E; “XML Encryption Syntax and Processing”. W3C Recommendation. 10/Dec/2002.
Eastlake, D.; Reagle, J.; Solo, D.; Hirsch, F.; Roessler, T.; Bartel, M.; Boyer, J.; Fox, B.; LaMacchia, B.; Simon. “XML Signature Syntax and Processing, 2nd Edition”. 2008.
Eviware. soapUI; the Web Services Testing tool – Security Testing Tool.
Garcia, R. "Case study: Experiences on SQL language fuzz testing", DBTest 09 Proceedings of the Second International Workshop on Testing Database Systems.
Hartman, B.; Flinn, D.; Beznosov, K.; Kawamoto, S.. “Mastering Web Services Security”, Wiley Publishing, Inc, ISBN-13: 978-0471267164. Jan. 2003.
Holgersson, J.; Soderstrom, E. “Web Wervice Security-Vulnerabilities and Threats Within the Context of WS-Security”. SIIT 2005, ITU, Geneva, Sep/2005.
IBM Corp.; Microsoft Corp. Whitepaper “Security in a Web Services World A Proposed Architecture and Roadmap”. April 7, 2002, V1.0.
Lawrence, K.; Kaler, C.; Nadalin, A.; Monzillo, R.; Hallam-Baker, P. “Web Services Security: UsernameToken Profile 1.1”. OASIS Standard Specification. 2006-A.
Lawrence, K.; Kaler, C.; Nadalin, A.; Monzillo, R.; Hallam-Baker, P. “Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)”. OASIS, 2006-B.
Mello, E. R.; Wangham, M. S.; Fraga, J. S.; and Camargo, E. S. (2006). Segurança em serviços web. In Minicursos do SBSeg 2006, Santos, SP.
Miller, B. et al.; “Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services”, Computer Sciences Technical Report #1268, 1995.
Moorsel, A. V.; Bondavalli, A.; Pinter, G.; Madeira, H.; Majzik, I.; Durães, J.; Karlsson, J.; Falai, L.; Strigini, L.; Vieira, M.; Vadursi, M.; Lollini, P. Esposito, R. “State of the Art, AMBER - Assessing, Measuring, and Benchmarking Resilience”- report, 2009.
Morais, A.; Martins, E.; “Injeção de Ataques Baseados em Modelo para Teste de Protocolos de Segurança”. Dissertação (Mestrado em Ciências da Computação) – Instituto de Computação, Universidade Estadual de Campinas. 15/Maio/2009.
Morais, A.; Martins, E.; and Cavalli, A. 2009. Security Protocol Testing Using Attack Trees. In Proceedings of 2009 International Conference on Computational Science and Engineering, (Vancouver, Canada, Aug. 2009).
Singhal, A.; Winograd, T.; Scardfone, K.; “Guide to Secure Web Services”; Recommendations of the National Institute of Standards and Technology (NIST).
Valenti, A. W.; Maja, W. Y.; Martins, E.; Bessayah, F.; and Cavalli, A. “WSInject: A Fault Injection Tool for Web Services".Technical Report.ICa10a22, Campinas, "Brazil: Instituto de Computação, Universidade Estadual de Campinas, July 2010.
Vieira, M.; Antunes, N.; Madeira, H. "Using Web Security Scanners to Detect Vulnerabilities in Web Services".Conf. on Dependable Systems and Networks, 2009.
Wanner, P.C.H. and Weber, R.F. 2003. Fault Injection Tool for Network Security Evaluation. LNCS, vol. 2847/2003, Dependable Computing. (Sep. 2003).
Zhao, G.; Zheng, W.; Zhao, J.; Chen, H. "An Heuristic Method for Web-Service Program Security Testing," ChinaGrid Annual Conference, 2009.
Antunes, N.; Vieira, M.; "Detecting SQL Injection Vulnerabilities in Web Services". Dependable Computing, 2009.LADC '09. Fourth Latin-American Symposium 2009.
Arlat, J.; Aguera, M.; Amat, L.; Crouzet, Y.; Fabre, J-C.; Laprie, J-C, Martins, E. "Fault injection for dependability validation: a methodology and some applications", 1990.
Avizienis, A.; Laprie, J-C.; Randell, B.; “Dependability and Ist Threats: A Taxonomy”; in: Jacquart, R.l eds.; Proceedings of the IFIP 18 th World Computer Congress; 2004.
Cachin, C.; Camenisch, J.; “Malicious and Accidental-Fault Tolerance in Internet Applications: Reference Model and Use Cases”, LAAS, MAFTIA, 2000.
Eastlake, D.; Reagle, J.; Imamura, T.; Dillaway, B.; Simon, E; “XML Encryption Syntax and Processing”. W3C Recommendation. 10/Dec/2002.
Eastlake, D.; Reagle, J.; Solo, D.; Hirsch, F.; Roessler, T.; Bartel, M.; Boyer, J.; Fox, B.; LaMacchia, B.; Simon. “XML Signature Syntax and Processing, 2nd Edition”. 2008.
Eviware. soapUI; the Web Services Testing tool – Security Testing Tool.
Garcia, R. "Case study: Experiences on SQL language fuzz testing", DBTest 09 Proceedings of the Second International Workshop on Testing Database Systems.
Hartman, B.; Flinn, D.; Beznosov, K.; Kawamoto, S.. “Mastering Web Services Security”, Wiley Publishing, Inc, ISBN-13: 978-0471267164. Jan. 2003.
Holgersson, J.; Soderstrom, E. “Web Wervice Security-Vulnerabilities and Threats Within the Context of WS-Security”. SIIT 2005, ITU, Geneva, Sep/2005.
IBM Corp.; Microsoft Corp. Whitepaper “Security in a Web Services World A Proposed Architecture and Roadmap”. April 7, 2002, V1.0.
Lawrence, K.; Kaler, C.; Nadalin, A.; Monzillo, R.; Hallam-Baker, P. “Web Services Security: UsernameToken Profile 1.1”. OASIS Standard Specification. 2006-A.
Lawrence, K.; Kaler, C.; Nadalin, A.; Monzillo, R.; Hallam-Baker, P. “Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)”. OASIS, 2006-B.
Mello, E. R.; Wangham, M. S.; Fraga, J. S.; and Camargo, E. S. (2006). Segurança em serviços web. In Minicursos do SBSeg 2006, Santos, SP.
Miller, B. et al.; “Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services”, Computer Sciences Technical Report #1268, 1995.
Moorsel, A. V.; Bondavalli, A.; Pinter, G.; Madeira, H.; Majzik, I.; Durães, J.; Karlsson, J.; Falai, L.; Strigini, L.; Vieira, M.; Vadursi, M.; Lollini, P. Esposito, R. “State of the Art, AMBER - Assessing, Measuring, and Benchmarking Resilience”- report, 2009.
Morais, A.; Martins, E.; “Injeção de Ataques Baseados em Modelo para Teste de Protocolos de Segurança”. Dissertação (Mestrado em Ciências da Computação) – Instituto de Computação, Universidade Estadual de Campinas. 15/Maio/2009.
Morais, A.; Martins, E.; and Cavalli, A. 2009. Security Protocol Testing Using Attack Trees. In Proceedings of 2009 International Conference on Computational Science and Engineering, (Vancouver, Canada, Aug. 2009).
Singhal, A.; Winograd, T.; Scardfone, K.; “Guide to Secure Web Services”; Recommendations of the National Institute of Standards and Technology (NIST).
Valenti, A. W.; Maja, W. Y.; Martins, E.; Bessayah, F.; and Cavalli, A. “WSInject: A Fault Injection Tool for Web Services".Technical Report.ICa10a22, Campinas, "Brazil: Instituto de Computação, Universidade Estadual de Campinas, July 2010.
Vieira, M.; Antunes, N.; Madeira, H. "Using Web Security Scanners to Detect Vulnerabilities in Web Services".Conf. on Dependable Systems and Networks, 2009.
Wanner, P.C.H. and Weber, R.F. 2003. Fault Injection Tool for Network Security Evaluation. LNCS, vol. 2847/2003, Dependable Computing. (Sep. 2003).
Zhao, G.; Zheng, W.; Zhao, J.; Chen, H. "An Heuristic Method for Web-Service Program Security Testing," ChinaGrid Annual Conference, 2009.
Published
2012-04-30
How to Cite
SALAS, Marcelo I. P.; MARTINS, Eliane.
Emulação de Ataques do Tipo XPath Injection para Testes de Web Services usando Injeção de Falhas. In: FAULT TOLERANCE WORKSHOP (WTF), 13. , 2012, Ouro Preto/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2012
.
p. 17-30.
ISSN 2595-2684.
DOI: https://doi.org/10.5753/wtf.2012.23077.
