• DocumentCode
    2867889
  • Title

    Evaluating and Improving Penetration Testing in Web Services

  • Author

    Antunes, Nuno ; Vieira, Marco

  • Author_Institution
    Dept. of Inf. Eng., Univ. of Coimbra - Portugal, Coimbra, Portugal
  • fYear
    2012
  • fDate
    27-30 Nov. 2012
  • Firstpage
    201
  • Lastpage
    210
  • Abstract
    Developers often rely on penetration testing tools to detect vulnerabilities in web services, although frequently without really knowing their effectiveness. In fact, the lack of information on the internal state of the tested services and the complexity and variability of the responses analyzed, limits the effectiveness of such technique, highlighting the importance of evaluating and improving existing tools. The goal of this paper is to investigate if attack signatures and interface monitoring can be an effective mean to assess and improve the performance of penetration testing tools in web services environments. In practice, attacks performed by such tools are signed and the interfaces between the target application and external resources are monitored (e.g., between services and a database server), allowing gathering additional information on existing vulnerabilities. A prototype was implemented focusing on SQL injection vulnerabilities. The experimental evaluation results clearly show that the proposed approach can be used in real scenarios.
  • Keywords
    SQL; Web services; digital signatures; program testing; SQL injection vulnerabilities; Web services; attack signatures; existing vulnerabilities; interface monitoring; penetration testing tools; Databases; Java; Monitoring; Security; Servers; Testing; Web services; attack signatures; interface monitoring; penetration testing; security; vulnerability detection; web-services;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Software Reliability Engineering (ISSRE), 2012 IEEE 23rd International Symposium on
  • Conference_Location
    Dallas, TX
  • ISSN
    1071-9458
  • Print_ISBN
    978-1-4673-4638-2
  • Type

    conf

  • DOI
    10.1109/ISSRE.2012.26
  • Filename
    6405368