A survey of attacks on web services

Classification and countermeasures
  • Meiko JensenEmail author
  • Nils Gruschka
  • Ralph Herkenhöner
Special Issue Paper


Being regarded as the new paradigm for Internet communication, Web Services have introduced a large number of new standards and technologies. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. Along with their severe impact, most of these attacks can be performed with minimum effort from the attacker’s side.

This article gives a survey of vulnerabilities in the context of Web Services. As a proof of the practical relevance of the threats, exemplary attacks on widespread Web Service implementations were performed. Further, general countermeasures for prevention and mitigation of such attacks are discussed.


Web Services  Security  Attacks   Denial of Service  Flooding Attacks  XML  WS-Security 


  1. 1.
    Andrews T, Curbera F, Dholakia H, Goland Y, Klein J, Leymann F, Liu K, Roller D, Smith D, Thatte S, Trickovic I, Weerawarana S (2003) Business Process Execution Language for Web Services Version 1.1. Oasis StandardGoogle Scholar
  2. 2.
    Bartel M, Boyer J, Fox B, LaMacchia B, Simon E (2002) XML-Signature Syntax and Processing. W3C RecommendationGoogle Scholar
  3. 3.
    Bhargavan K, Fournet C, Gordon AD, O’Shea G (2005) An advisor for Web Services security policies. In: SWS ’05: Proceedings of the 2005 workshop on Secure web services, ACM Press, New York, NY, pp 1–9Google Scholar
  4. 4.
    Fernando R (2006) Secure web services with apache rampart. Tech rep, WSO2 Oxygen TankGoogle Scholar
  5. 5.
    Gruschka N (2008) Schutz von Web Services durch erweiterte und effiziente Nachrichtenvalidierung. PhD thesis, Christian-Albrechts-University of Kiel, GermanyGoogle Scholar
  6. 6.
    Gruschka N, Herkenhöner R (2006) WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls. In: Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detection and MitigationGoogle Scholar
  7. 7.
    Gruschka N, Luttenberger N (2006) Protecting Web Services from DoS Attacks by SOAP Message Validation. In: Proceedings of the IFIP TC-11 21. International Information Security Conference (SEC 2006)Google Scholar
  8. 8.
    Gruschka N, Luttenberger N, Herkenhöner R (2006) Event-based SOAP message validation for WS-SecurityPolicy-Enriched web services. In: Proceedings of the 2006 International Conference on Semantic Web & Web ServicesGoogle Scholar
  9. 9.
    Gruschka N, Herkenhöner R, Luttenberger N (2007a) Access Control Enforcement for Web Services by Event-Based Security Token Processing. In: Braun T, Carle G, Stiller B (eds) 15. ITG/Gi Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007), pp 371–382Google Scholar
  10. 10.
    Gruschka N, Jensen M, Luttenberger N (2007b) A Stateful Web Service Firewall for BPEL. Proceedings of the IEEE International Conference on Web Services (ICWS 2007)Google Scholar
  11. 11.
    Gudgin M, Hadley M, Rogers T (2006) Web Services Addressing 1.0 – SOAP Binding. W3C RecommendationGoogle Scholar
  12. 12.
    Hors AL, Hegaret PL, Wood L, Nicol G, Robie J, Champion M, Byrne S (2004) Document Object Model (DOM) Level 3 Core Specification. W3C RecommendationGoogle Scholar
  13. 13.
    Imamura T, Dillaway B, Simon E (2002) XML Encryption Syntax and Processing. W3C RecommendationGoogle Scholar
  14. 14.
    Jayasinghe D (2006) SOA development with Axis2: Understanding Axis2 basis. IBM developerWorksGoogle Scholar
  15. 15.
    Jensen M (2008) BPEL Firewall – Abwehr von Angriffen auf zustandsbehaftete Web Services (german). VDM Verlag Dr. Müller, Saarbrücken, ISBN 9783836485517Google Scholar
  16. 16.
    Jensen M, Gruschka N, Luttenberger N (2008) The Impact of Flooding Attacks on Network-based Services. In: Proceedings of the IEEE International Conference on Availability, Reliability and SecurityGoogle Scholar
  17. 17.
    Kaler C, Nadalin A (eds) (2005) Web Services Security Policy Language (WS-SecurityPolicy) 1.1Google Scholar
  18. 18.
    Leiwo J, Nikander P, Aura T (2000) Towards network denial of service resistant protocols. In: Proc. of the 15th International Information Security Conference (IFIP/SEC)Google Scholar
  19. 19.
    Lindstrom P (2004) Attacking and Defending Web Service. A Spire Research ReportGoogle Scholar
  20. 20.
    McIntosh M, Austel P (2005) XML signature element wrapping attacks and countermeasures. In: SWS ’05: Proceedings of the 2005 workshop on Secure web services, ACM Press, New York, NY, pp 20–27Google Scholar
  21. 21.
    Nadalin A, Kaler C, Monzillo R, Hallam-Baker P (2006) Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)Google Scholar
  22. 22.
    Needham RM (1994) Denial of service: an example. Commun ACM 37(11):42–46CrossRefGoogle Scholar
  23. 23.
    Noga ML, Schott S, Löwe W (2002) Lazy XML processing. In: DocEng ’02: Proceedings of the 2002 ACM symposium on document engineering. ACM Press, New York, NY, pp 88–94CrossRefGoogle Scholar
  24. 24.
    Schäfer G (2005) Sabotageangriffe auf Kommunikationsstrukturen: Angriffstechniken und Abwehrmaßnahmen. PIK 28:130–139CrossRefGoogle Scholar
  25. 25.
    Smith A (2007) Under Attack, Over the Net. Time Magazine,9171,1626744,00.html. Accessed 29 Apr 2009
  26. 26.
    The SAX Project (2002) Simple API for XML–SAX 2.0.1 Accessed 29 Apr 2009
  27. 27.
    Weerawarana S, Curbera F, Leymann F, Storey T, Ferguson DF (2005) Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More. Prentice Hall PTR, Upper Saddle RiverGoogle Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  • Meiko Jensen
    • 1
    Email author
  • Nils Gruschka
    • 2
  • Ralph Herkenhöner
    • 3
  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumBochumGermany
  2. 2.NEC Laboratories Europe, IT Research DivisionNEC Europe Ltd.St. AugustinGermany
  3. 3.Institute for IT-Security and Security LawUniversity PassauPassauGermany

Personalised recommendations