Security of Web Services: Methods and Contrivance
DOI:
https://doi.org/10.24297/ijct.v14i11.6374Keywords:
Web services, Security, Threats and attacks, SOAP, RESTfu, WS-Security FrameworkAbstract
The increasing use of web services, the proved advantages of service-oriented architectures and continuously applied
attacks to them require utilization of given secure mechanisms that ensure the security at different levels. The aim of the
paper is to summarize the existing threats and attacks to web applications and web services. Contemporary security
standards and good practices describing methods and contrivance for deciding security problems are explored too to
reveal the present state in the field.
Downloads
Download data is not yet available.
References
[1] Amazon web services „growing fast‟. 2015. http://www.bbc.com/news/business-32442268.
[2] XMethods web site – directory for public SOAP services. http://www.xmethods.com/.
[3] Membrane - directory for public SOAP services. http://www.service-repository.com.
[4] Workday SOAP Web Services Directory. https://community.workday.com/custom/developer/API/index.html.
[5] USGS site for SOAP and REST web services. http://waterservices.usgs.gov.
[6] Microsoft Developer Network. Chapter 1: Security Fundamentals for Web Services patterns & practices. https://msdn.microsoft.com/en-us/library/ff648318.aspx.
[7] W3C Working Group. Web Services Architecture. 2004. http://www.w3.org/TR/ws-arch/.
[8] Microsoft Corporation. Improving Web Application Security: Threats and Countermeasures. Microsoft Press. 2 September 2003.
[9] Web Application Security Consortium. 2004. Threat Classification.Version 1.0. www.webappsec.org.
[10] Gordeychik, S. 2010. Web Application Security Statistics. The Web Application Security Consortium. http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics.
[11] WhiteHat Security. 2014. Website Security Statistics Report. https://www.whitehatsec.com/resource/stats.html.
[12] The Mitigation Group “One Voiceâ€. 2011. Protect Against Cross Site Scripting (XSS) Attacks. The Information Assurance Mission at NSA. https://www.nsa.gov/ia/_files/factsheets/xss_iad_factsheet_final_web.pdf.
[13] Kirda, E., Kruegel, C., Vigna, G. and Jovanovic, N. 2006. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. Proceedings of the 2006 ACM symposium on Applied computing. 330-337.
[14] Shanmugam, J. and Ponnavaikko, M. 2008. Cross Site Scripting-Latest developments and solutions: A survey. International Journal Open Problems Compt. Math. vol. 1. No. 2. 8-28.
[15] Laranjeiro, N., Vieira, M. and Madeira, H. 2009. Protecting Database Centric Web Services against SQL/XPath Injection Attacks. Lecture Notes in Computer Science. vol. 5690. 271-278.
[16] Janot, E. and Zavarsky, P. 2008. Preventing SQL Injections in Online Applications: Study, Recommendations and Java Solution Prototype Based on the SQL DOM. Application Security Conference. https://www.owasp.org/images/5/57/OWASP-AppSecEU08-Janot.pdf.
[17] Auger, R. Buffer Overflow. The Web application Security Consortium. http://projects.webappsec.org/w/page/13246916/Buffer%20Overflow.
[18] Adams, C., Jourdan, G.-V., Levac, J.-P. and Prevost, F. 2010. Lightweight protection against brute force login attacks on Web applications. in 'PST'. IEEE. 181-188.
[19] Pinkas, B. and Sander, T. 2002. Securing Passwords Against Dictionary Attacks. Proceedings of the 9th ACM conference on Computer and communications security. 161-170.
[20] Stubblebine, S. and van Oorschot P. C. 2004. Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. Lecture Notes in Computer Science. volume 3110. 39-53.
[21] Ghetau, V. 2012. Preventing cookie replay attacks. The Web Systems Engineering Blog. http://websystemsengineering.blogspot.com/2012/12/preventing-cookie-replay-attacks.html.
[22] Hill, C. 2009. Cookie replay attack protection. Blog post. http://www.chrisjhill.co.uk/article/cookie-replay-attack-protection.
[23] Udemy blog. Eavesdropping on the Network : Sniffing for Packets. 2014. https://blog.udemy.com/packet-sniffers/.
[24] Adida, B. 2008. SessionLock: Securing Web Sessions against Eavesdropping. In Proceedings of the WWW 2008. Beijing, China, 517-524.
[25] Epp, D. 2015. Credential Theft and How to Secure Credentials. https://technet.microsoft.com/en-us/security/dn920237.aspx.
[26] Pavlou, K. E. and Snodgrass, R. T. 2008. Forensic Analysis of Database Tampering. ACM Transactions on Database Systems. vol. 33, Issue 4, Article No. 30.
[27] OWASP Foundation. Testing for Privilege escalation. https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003).
[28] Hosek, P., Migliavacca, M., Papagiannis, I., Eyers, D. M., Evans, D. Shand, B. Bacon, J. and Pietzuch, P. 2011. SafeWeb: A Middleware for Securing Ruby-Based Web Applications. Lecture Notes in Computer Science. vol. 7049. 491-511.
[29] Eriksson, M. An Example of a Man-in-the-middle Attack Against Server Authenticated SSL-sessions. http://www8.cs.umu.se/education/examina/Rapporter/MattiasEriksson.pdf.
[30] Gangan, S. 2015. A Review of Man-in-the-Middle Attacks. http://arxiv.org/ftp/arxiv/papers/1504/1504.02115.pdf.
[31] The Open Web Application Security Project. A Guide to Building Secure Web Applications and Web Services. http://webpages.uncc.edu/billchu/classes/fall03/itis5166/APPSECURITY.PDF.
[32] Kargl, F., Maier, J. and Weber, M. Protecting web servers from distributed denial of service attacks. Proceedings of the 10th international conference on World Wide Web. 514-524.
[33] .-Arteaga, J. M, Caudel-GarcÃa, H., and Fernandez, E. B. 2011. Misuse Pattern: Spoofing Web Services. Proceedings of the 2nd Asian Conference on Pattern Languages of Programs. Article No. 11.
[34] Mainka, C., Somorovsky, J. and Schwenk, J. 2012. Penetration Testing Tool for Web Services Security. IEEE Eighth World Congress on Services. 163-170.
[35] Adelsbach, A., Gajek, S., Schwenk, J. 2005. Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures. Lecture Notes in Computer Science. vol. 3439. 204-216.
[36] W3C XML Encryption Syntax and Processing version 1.1. 11 April 2013. http://www.w3.org/TR/xmlenc-core1/.
[37] W3C XML Signature Syntax and Processing, Second edition. 10 June 2008. http://www.w3.org/TR/xmldsig-core/.
[38] W3C XML Key Management Specification (XKMS 2.0) version 2.0. 28 June 2005. http://www.w3.org/TR/xkms2/.
[39] OASIS Security Assertion Markup Language v2.0. 25 March 2008. https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
[40] OASIS eXtensible Access Control Markup Language v2.0. 1 February 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.
[41] Web Services Security:SOAP Message Security 1.0. March 2004. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.
[42] Web Services Security X.509 Certificate Token Profile. March 2004. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf.
[43] Web Services Security Policy Language. July 2005 Version 1.1. http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf.
[44] Web Services Trust Language. February 2005. http://specs.xmlsoap.org/ws/2005/02/trust/ws-trust.pdf.
[45] Web Services Secure Conversation Language. February 2005. http://specs.xmlsoap.org/ws/2005/02/sc/WS-SecureConversation.pdf.
[46] Forsberg, D. 2009. RESTful Security. IEEE Symposium on Security and Privacy. Claremont Resort. Oakland. USA. http://w2spconf.com/2009/papers/s4p3.pdf.
[47] Scalable, Reliable, and Secure RESTful services. 2007. Presentstion. ApacheCon Europe 2007, Amsterdam. http://www.apachecon.com/eu2007/materials/Scalable,%20Reliable,%20and%20Secure%20RESTful%20services.pdf
[48] National Security Agency of USA. 2011. Guidelines for Implementation of REST. https://www.nsa.gov/ia/_files/support/guidelines_implementation_rest.pdf.
[2] XMethods web site – directory for public SOAP services. http://www.xmethods.com/.
[3] Membrane - directory for public SOAP services. http://www.service-repository.com.
[4] Workday SOAP Web Services Directory. https://community.workday.com/custom/developer/API/index.html.
[5] USGS site for SOAP and REST web services. http://waterservices.usgs.gov.
[6] Microsoft Developer Network. Chapter 1: Security Fundamentals for Web Services patterns & practices. https://msdn.microsoft.com/en-us/library/ff648318.aspx.
[7] W3C Working Group. Web Services Architecture. 2004. http://www.w3.org/TR/ws-arch/.
[8] Microsoft Corporation. Improving Web Application Security: Threats and Countermeasures. Microsoft Press. 2 September 2003.
[9] Web Application Security Consortium. 2004. Threat Classification.Version 1.0. www.webappsec.org.
[10] Gordeychik, S. 2010. Web Application Security Statistics. The Web Application Security Consortium. http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics.
[11] WhiteHat Security. 2014. Website Security Statistics Report. https://www.whitehatsec.com/resource/stats.html.
[12] The Mitigation Group “One Voiceâ€. 2011. Protect Against Cross Site Scripting (XSS) Attacks. The Information Assurance Mission at NSA. https://www.nsa.gov/ia/_files/factsheets/xss_iad_factsheet_final_web.pdf.
[13] Kirda, E., Kruegel, C., Vigna, G. and Jovanovic, N. 2006. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. Proceedings of the 2006 ACM symposium on Applied computing. 330-337.
[14] Shanmugam, J. and Ponnavaikko, M. 2008. Cross Site Scripting-Latest developments and solutions: A survey. International Journal Open Problems Compt. Math. vol. 1. No. 2. 8-28.
[15] Laranjeiro, N., Vieira, M. and Madeira, H. 2009. Protecting Database Centric Web Services against SQL/XPath Injection Attacks. Lecture Notes in Computer Science. vol. 5690. 271-278.
[16] Janot, E. and Zavarsky, P. 2008. Preventing SQL Injections in Online Applications: Study, Recommendations and Java Solution Prototype Based on the SQL DOM. Application Security Conference. https://www.owasp.org/images/5/57/OWASP-AppSecEU08-Janot.pdf.
[17] Auger, R. Buffer Overflow. The Web application Security Consortium. http://projects.webappsec.org/w/page/13246916/Buffer%20Overflow.
[18] Adams, C., Jourdan, G.-V., Levac, J.-P. and Prevost, F. 2010. Lightweight protection against brute force login attacks on Web applications. in 'PST'. IEEE. 181-188.
[19] Pinkas, B. and Sander, T. 2002. Securing Passwords Against Dictionary Attacks. Proceedings of the 9th ACM conference on Computer and communications security. 161-170.
[20] Stubblebine, S. and van Oorschot P. C. 2004. Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. Lecture Notes in Computer Science. volume 3110. 39-53.
[21] Ghetau, V. 2012. Preventing cookie replay attacks. The Web Systems Engineering Blog. http://websystemsengineering.blogspot.com/2012/12/preventing-cookie-replay-attacks.html.
[22] Hill, C. 2009. Cookie replay attack protection. Blog post. http://www.chrisjhill.co.uk/article/cookie-replay-attack-protection.
[23] Udemy blog. Eavesdropping on the Network : Sniffing for Packets. 2014. https://blog.udemy.com/packet-sniffers/.
[24] Adida, B. 2008. SessionLock: Securing Web Sessions against Eavesdropping. In Proceedings of the WWW 2008. Beijing, China, 517-524.
[25] Epp, D. 2015. Credential Theft and How to Secure Credentials. https://technet.microsoft.com/en-us/security/dn920237.aspx.
[26] Pavlou, K. E. and Snodgrass, R. T. 2008. Forensic Analysis of Database Tampering. ACM Transactions on Database Systems. vol. 33, Issue 4, Article No. 30.
[27] OWASP Foundation. Testing for Privilege escalation. https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003).
[28] Hosek, P., Migliavacca, M., Papagiannis, I., Eyers, D. M., Evans, D. Shand, B. Bacon, J. and Pietzuch, P. 2011. SafeWeb: A Middleware for Securing Ruby-Based Web Applications. Lecture Notes in Computer Science. vol. 7049. 491-511.
[29] Eriksson, M. An Example of a Man-in-the-middle Attack Against Server Authenticated SSL-sessions. http://www8.cs.umu.se/education/examina/Rapporter/MattiasEriksson.pdf.
[30] Gangan, S. 2015. A Review of Man-in-the-Middle Attacks. http://arxiv.org/ftp/arxiv/papers/1504/1504.02115.pdf.
[31] The Open Web Application Security Project. A Guide to Building Secure Web Applications and Web Services. http://webpages.uncc.edu/billchu/classes/fall03/itis5166/APPSECURITY.PDF.
[32] Kargl, F., Maier, J. and Weber, M. Protecting web servers from distributed denial of service attacks. Proceedings of the 10th international conference on World Wide Web. 514-524.
[33] .-Arteaga, J. M, Caudel-GarcÃa, H., and Fernandez, E. B. 2011. Misuse Pattern: Spoofing Web Services. Proceedings of the 2nd Asian Conference on Pattern Languages of Programs. Article No. 11.
[34] Mainka, C., Somorovsky, J. and Schwenk, J. 2012. Penetration Testing Tool for Web Services Security. IEEE Eighth World Congress on Services. 163-170.
[35] Adelsbach, A., Gajek, S., Schwenk, J. 2005. Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures. Lecture Notes in Computer Science. vol. 3439. 204-216.
[36] W3C XML Encryption Syntax and Processing version 1.1. 11 April 2013. http://www.w3.org/TR/xmlenc-core1/.
[37] W3C XML Signature Syntax and Processing, Second edition. 10 June 2008. http://www.w3.org/TR/xmldsig-core/.
[38] W3C XML Key Management Specification (XKMS 2.0) version 2.0. 28 June 2005. http://www.w3.org/TR/xkms2/.
[39] OASIS Security Assertion Markup Language v2.0. 25 March 2008. https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
[40] OASIS eXtensible Access Control Markup Language v2.0. 1 February 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.
[41] Web Services Security:SOAP Message Security 1.0. March 2004. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf.
[42] Web Services Security X.509 Certificate Token Profile. March 2004. http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf.
[43] Web Services Security Policy Language. July 2005 Version 1.1. http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf.
[44] Web Services Trust Language. February 2005. http://specs.xmlsoap.org/ws/2005/02/trust/ws-trust.pdf.
[45] Web Services Secure Conversation Language. February 2005. http://specs.xmlsoap.org/ws/2005/02/sc/WS-SecureConversation.pdf.
[46] Forsberg, D. 2009. RESTful Security. IEEE Symposium on Security and Privacy. Claremont Resort. Oakland. USA. http://w2spconf.com/2009/papers/s4p3.pdf.
[47] Scalable, Reliable, and Secure RESTful services. 2007. Presentstion. ApacheCon Europe 2007, Amsterdam. http://www.apachecon.com/eu2007/materials/Scalable,%20Reliable,%20and%20Secure%20RESTful%20services.pdf
[48] National Security Agency of USA. 2011. Guidelines for Implementation of REST. https://www.nsa.gov/ia/_files/support/guidelines_implementation_rest.pdf.
Downloads
Published
2015-08-10
How to Cite
Ivanova, M. (2015). Security of Web Services: Methods and Contrivance. INTERNATIONAL JOURNAL OF COMPUTERS &Amp; TECHNOLOGY, 14(11), 6229–6239. https://doi.org/10.24297/ijct.v14i11.6374
Issue
Section
Research Articles