Web services represent a powerful interface for back-end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non-vulnerable web services is still a difficult task. In fact, security-related concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC-App benchmark, showing to be 100% effective in stopping attacks, non-intrusive and very easy to use.
Keywords
web services, SQL/XPath Injection
Subject
Web Services Security
Conference
20th International Conference on Database and Expert Systems Applications (DEXA 2009), August 2009
Cited by
Year 2011 : 2 citations
1. Velu Shanmughaneethi, R. Ravichandran, S. Swamynathan, “PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications”, International Journal on Web Service Computing, no. 3: 192-201, September 2011
2. Velu Shanmughaneethi, Ra. Yagna Pravin, S. Swamynathan, "XIVD: Runtime Detection of XPath Injection Vulnerabilities in XML Databases through Aspect Oriented Programming", Advances in Computing and Information Technology - Communications in Computer and Information Science, Springer Berlin Heidelberg, Vol. 198, ISBN: 978-3-642-22555-0, 2011.