A Learning-Based Approach to Secure Web Services from SQL/XPath Injection Attacks

Author

Laranjeiro, Nuno ; Vieira, Marco ; Madeira, Henrique

Author_Institution

Dept. of Inf. Eng., Univ. of Coimbra, Coimbra, Portugal

fYear

2010

fDate

13-15 Dec. 2010

Firstpage

191

Lastpage

198

Abstract

Business critical applications are increasingly being deployed as web services that access database systems, and must provide secure operations to its clients. Although the open web environment emphasizes the need for security, several studies show that web services are still being deployed with command injection vulnerabilities. This paper proposes a learning-based approach to secure web services against SQL and XPath Injection attacks. Our approach is able to transparently learn valid request patterns (learning phase) and then detect and abort potentially harmful requests (protection phase). When it is not possible to have a complete learning phase, a set of heuristics can be used to accept/discard doubtful cases. Our mechanism was applied to secure TPC-App services and open source services. It showed to be extremely effective in stopping all tested attacks, while introducing a negligible performance impact.

Keywords

SQL; Web services; business data processing; learning (artificial intelligence); relational databases; security of data; SQL/XPath injection attacks; business critical applications; database systems; learning-based approach; secure Web services; SQL/ XPath Injection; Web services; code instrumentation; security; vulnerabilities;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependable Computing (PRDC), 2010 IEEE 16th Pacific Rim International Symposium on

Conference_Location

Tokyo

Print_ISBN

978-1-4244-8975-6

Electronic_ISBN

978-0-7695-4289-8

Type

conf

DOI

10.1109/PRDC.2010.24

Filename

5703244