A Learning-Based Approach to Secure Web Services from SQL/XPath Injection Attacks

Authors

Abstract

Business critical applications are increasingly being deployed as web services that access database systems, and must provide secure operations to its clients. Although the open web environment emphasizes the need for security, several studies show that web services are still being deployed with command injection vulnerabilities. This paper proposes a learning-based approach to secure web services against SQL and XPath Injection attacks. Our approach is able to transparently learn valid request patterns (learning phase) and then detect and abort potentially harmful requests (protection phase). When it is not possible to have a complete learning phase, a set of heuristics can be used to accept/discard doubtful cases. Our mechanism was applied to secure TPC-App services and open source services. It showed to be extremely effective in stopping all tested attacks, while introducing a negligible performance impact.

Keywords

Web Services, SQL/XPath Injection Attacks, Security

Subject

Web Services Security

Conference

The 16th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2010), December 2010