CISUC

Evaluating and Improving Penetration Testing in WebServices

Authors

Abstract

Developers often rely on penetration testing tools to detect vulnerabilities in web services, although frequently without really knowing their effectiveness. In fact, the lack of information on the internal state of the tested services and the complexity and variability of the responses analyzed, limits the effectiveness of such technique, highlighting the importance of evaluating and improving existing tools. The goal of this paper is to investigate if attack signatures and interface monitoring can be an effective mean to assess and improve the perfor-mance of penetration testing tools in web services environ-ments. In practice, attacks performed by such tools are signed and the interfaces between the target application and external resources are monitored (e.g., between services and a database server), allowing gathering additional information on existing vulnerabilities. A prototype was implemented focusing on SQL injection vulnerabilities. The experimental evaluation results clearly show that the proposed approach can be used in real scenarios.

Keywords

web-services, security, vulnerability detection, attack signatures, penetration testing, interface monitoring

Subject

Vulnerability Detection in Web Services

Conference

23rd IEEE International Symposium on Software Reliability Engineering (ISSRE 2012), November 2012


Cited by

Year 2015 : 1 citations

 S. Karumanchi and A. Squicciarini, “A Large Scale Study of Web Service Vulnerabilities,” Journal of Internet Services and Information Security (JISIS), vol. 5, no. 1, pp. 53–69, 2015.

Year 2014 : 2 citations

 J. Upadhyaya, N. Panda, and A. A. Acharya, “Attack Generation and Vulnerability Discovery in Penetration Testing using Sql Injection,” 2014.

 S. Karumanchi and A. C. Squicciarini, “In the Wild: a Large Scale Study of Web Services Vulnerabilities,” presented at the 29th Symposium On Applied Computing, Gyeongju, Republic of Korea, 2014.