A New Approach towards DoS Penetration Testing on Web Services

Author

Falkenberg, Andreas ; Mainka, Christian ; Somorovsky, Juraj ; Schwenk, Joerg

Author_Institution

SEC Consult Deutschland Unternehmensberatung GmbH, Germany

fYear

2013

fDate

June 28 2013-July 3 2013

Firstpage

491

Lastpage

498

Abstract

SOAP-based Web services is a middleware technology marketed as the solution to easy data exchange between heterogeneous IT architectures. The large number of scenarios, in which this technology is used, has introduced demands for new extensions raising its complexity. However, this has also introduced a large variety of new attacks. In this paper, we investigate an automatic evaluation of Web service specific Denial of Service (DoS) attacks. We present a new fully automated plugin for the WS-Attacker penetration testing tool implementing major DoS attacks. Our tool determines the attack success without having physical access to the target machine, using a novel blackbox approach. We give an overview of our design decisions and present the evaluation results using common Web service frameworks and systems.

Keywords

Web services; computer network security; electronic data interchange; middleware; program testing; DoS attacks; DoS penetration testing; SOAP-based Web services; WS-attacker penetration testing tool; automated plugin; blackbox approach; data exchange; denial of service attack; heterogeneous IT architectures; middleware technology; Computer crime; Payloads; Servers; Simple object access protocol; Testing; XML; Denial- of-Service; Penetration Testing Tool; SOAP-based Web services; WS-Attacker; WS-Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Web Services (ICWS), 2013 IEEE 20th International Conference on

Conference_Location

Santa Clara, CA

Print_ISBN

978-0-7695-5025-1

Type

conf

DOI

10.1109/ICWS.2013.72

Filename

6649616