Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services

被引:30
作者
Antunes, Nuno [1 ]
Laranjeiro, Nuno [1 ]
Vieira, Marco [1 ]
Madeira, Henrique [1 ]
机构
[1] Univ Coimbra, Dept Informat Engn, CISUC, P-3000 Coimbra, Portugal
来源
2009 IEEE INTERNATIONAL CONFERENCE ON SERVICES COMPUTING | 2009年
关键词
D O I
10.1109/SCC.2009.23
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
This paper proposes a new automatic approach for the detection of SQL Injection and XPath Injection vulnerabilities, two of the most common and most critical types Of vulnerabilities in web services. Although there are tools that allow testing web applications against security vulnerabilities, previous research shows that the effectiveness of those tools in web services environments is very poor. In our approach a representative workload is used to exercise the web service and a large set of SQL/XPath Injection attacks are applied to disclose vulnerabilities. Vulnerabilities are defected by comparing the structure of the SQL/XPath commands issued in the presence of attacks to the ones previously learned when running the workload in the absence of attacks. Experimental evaluation shows that our approach performs much better than known tools (including commercial ones), achieving extremely high detection coverage while maintaining the false positives rate very low.
引用
收藏
页码:260 / 267
页数:8
相关论文
共 18 条
[1]  
Acunetix, 2008, AC WEB VULN SCANN
[2]  
[Anonymous], 1996, HDB SOFTWARE RELIABI
[3]  
[Anonymous], 2008, HP WebInspect
[4]  
ANTUNES N, 2009, 4 LAT AM S DEP COMP
[5]  
Antunes N., 2009, COMMAND INJECTION VU
[6]  
Buehrer G. T., 2005, INT WORKSH SOFTW ENG
[7]  
Christey S., 2007, VULNERABILITY TYPE D
[8]   Unraveling the Web services Web - An introduction to SOAP, WSDL, and UDDI [J].
Curbera, F ;
Duftler, M ;
Khalaf, R ;
Nagy, W ;
Mukhi, N ;
Weerawarana, S .
IEEE INTERNET COMPUTING, 2002, 6 (02) :86-93
[9]  
HALFOND W, 2006, 28 INT C SOFTW ENG S
[10]  
*IBM, 2008, IBM RAT APPSCAN