Abstract :
Web services work over dynamic connections among distributed systems. This technology was specifically designed to easily pass SOAP message through firewalls using open ports. These benefits involve a number of security challenges, such as Injection Attacks, phishing, Denial-of-Services (DoS) attacks, and so on. The difficulty to detect vulnerabilities,before they are exploited, encourages developers to use security testing like penetration testing to reduce the potential attacks. Given a black-box approach, this research use the penetration testing to emulate a series of attacks, such as Cross-site Scripting (XSS), Fuzzing Scan, Invalid Types, Malformed XML, SQL Injection, XPath Injection and XML Bomb. In this way, was used the soapUI vulnerability scanner in order to emulate these attacks and insert malicious scripts in the requests of the web services tested. Furthermore, was developed a set of rules to analyze the responses in order to reduce false positives and negatives. The results suggest that 97.1% of web services have at least one vulnerability of these attacks. We also determined a ranking of these attacks against web services.
Keywords :
Web services; XML; firewalls; program testing; DoS attacks; SOAP message; SQL injection attack; Web service testing; XML bomb attack; XPath injection attack; XSS attack; black-box approach; cross-site scripting attack; denial-of-services attacks; distributed systems; dynamic connections; firewalls; fuzzing scan attack; injection attacks; invalid type attack; malformed XML attack; malicious scripts; penetration testing; phishing; security testing; soapUI vulnerability scanner; vulnerability detection; Security; Servers; Simple object access protocol; Testing; Weapons; XML; Cross-site Scripting; Fuzzing Scan; Invalid Types; Malformed XML; SQL Injection; XML Bomb; XPath Injection; XSS; penetration testing; web services;
