Experimental Evaluation of Web Service Frameworks in the Presence of Security Attacks

Web services are increasingly being used to provide critical operations in business-to-business and safety-critical environments. In these environments the exploitation of security vulnerabilities may result in major damages in the services infrastructures, financial or reputation losses to the organizations involved, and other catastrophic consequences for the users and the environment. Web services frameworks are the basis for developers to create and deploy web services, and must provide a robust and secure environment, so that an application can deliver its service, even when in presence of security attacks. In this paper we study the behavior of well-known web services frameworks in the presence of security attacks targeting the core web services specifications, i.e., those enabling basic message exchange functionalities. Results show that frameworks are quite resistant to attacks. However, they also indicate that even very popular and highly tested frameworks can be vulnerable to attacks, with potentially catastrophic consequences for the services being deployed.