Evaluating Web Services Security
Authors
Abstract
Although web services are becoming business-critical components, they are often deployed with critical software bugs, causing security vulnerabilities that can be maliciously exploited. Develop time constraints and developers not specialized in security often lead to security cautions being disregarded, giving utmost importance to t the use of automated security testing tools to detect existing security vulnerabilities. However, automated security testing tools often do not deserve the confidence that developing teams put on them. In fact, previous research shows that many vulnerabilities remain undetected even when using well-known and widely used vulnerability detection tools.The present work has two main contributions: the evaluation of existing tools and the proposal of new approaches for the detection of vulnerabilities. First we evaluate existing tools to assess their effectiveness in the detection of vulnerabilities in web services environments. Results show that many web services are deployed with security vulnerabilities (being SQL Injection the most common type of vulnerability in this context) and that security test tools present an unsatisfactory effectiveness in web services environment (low coverage and high number of false positives). This way, we propose two new techniques for detection of security vulnerabilities in web services. The first is based on penetration testing and target SQL Injection vulnerabilities. The second is a gray-box approach for the detection of SQL Injection and XPath Injection vulnerabilities.
The experimental evaluation shown that the penetration testing tool achieved higher effectiveness than the web security scanners on detecting SQL Injection vulnerabilities, showing that is possible to develop a vulnerability scanner for web services that performs much better than the commercial ones currently available. In relation to the proposed gray-box approach, experimental evaluation has shown that it performs much better than known tools (including commercial ones), achieving extremely high detection coverage while maintaining the false positives rate very low.