Abstract
Being regarded as the new paradigm for Internet communication, Web Services have introduced a large number of new standards and technologies. Though founding on decades of networking experience, Web Services are not more resistant to security attacks than other open network systems. Quite the opposite is true: Web Services are exposed to attacks well-known from common Internet protocols and additionally to new kinds of attacks targeting Web Services in particular. Along with their severe impact, most of these attacks can be performed with minimum effort from the attacker’s side.
This article gives a survey of vulnerabilities in the context of Web Services. As a proof of the practical relevance of the threats, exemplary attacks on widespread Web Service implementations were performed. Further, general countermeasures for prevention and mitigation of such attacks are discussed.
Similar content being viewed by others
References
Andrews T, Curbera F, Dholakia H, Goland Y, Klein J, Leymann F, Liu K, Roller D, Smith D, Thatte S, Trickovic I, Weerawarana S (2003) Business Process Execution Language for Web Services Version 1.1. Oasis Standard
Bartel M, Boyer J, Fox B, LaMacchia B, Simon E (2002) XML-Signature Syntax and Processing. W3C Recommendation
Bhargavan K, Fournet C, Gordon AD, O’Shea G (2005) An advisor for Web Services security policies. In: SWS ’05: Proceedings of the 2005 workshop on Secure web services, ACM Press, New York, NY, pp 1–9
Fernando R (2006) Secure web services with apache rampart. Tech rep, WSO2 Oxygen Tank
Gruschka N (2008) Schutz von Web Services durch erweiterte und effiziente Nachrichtenvalidierung. PhD thesis, Christian-Albrechts-University of Kiel, Germany
Gruschka N, Herkenhöner R (2006) WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls. In: Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation
Gruschka N, Luttenberger N (2006) Protecting Web Services from DoS Attacks by SOAP Message Validation. In: Proceedings of the IFIP TC-11 21. International Information Security Conference (SEC 2006)
Gruschka N, Luttenberger N, Herkenhöner R (2006) Event-based SOAP message validation for WS-SecurityPolicy-Enriched web services. In: Proceedings of the 2006 International Conference on Semantic Web & Web Services
Gruschka N, Herkenhöner R, Luttenberger N (2007a) Access Control Enforcement for Web Services by Event-Based Security Token Processing. In: Braun T, Carle G, Stiller B (eds) 15. ITG/Gi Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007), pp 371–382
Gruschka N, Jensen M, Luttenberger N (2007b) A Stateful Web Service Firewall for BPEL. Proceedings of the IEEE International Conference on Web Services (ICWS 2007)
Gudgin M, Hadley M, Rogers T (2006) Web Services Addressing 1.0 – SOAP Binding. W3C Recommendation
Hors AL, Hegaret PL, Wood L, Nicol G, Robie J, Champion M, Byrne S (2004) Document Object Model (DOM) Level 3 Core Specification. W3C Recommendation
Imamura T, Dillaway B, Simon E (2002) XML Encryption Syntax and Processing. W3C Recommendation
Jayasinghe D (2006) SOA development with Axis2: Understanding Axis2 basis. IBM developerWorks
Jensen M (2008) BPEL Firewall – Abwehr von Angriffen auf zustandsbehaftete Web Services (german). VDM Verlag Dr. Müller, Saarbrücken, ISBN 9783836485517
Jensen M, Gruschka N, Luttenberger N (2008) The Impact of Flooding Attacks on Network-based Services. In: Proceedings of the IEEE International Conference on Availability, Reliability and Security
Kaler C, Nadalin A (eds) (2005) Web Services Security Policy Language (WS-SecurityPolicy) 1.1
Leiwo J, Nikander P, Aura T (2000) Towards network denial of service resistant protocols. In: Proc. of the 15th International Information Security Conference (IFIP/SEC)
Lindstrom P (2004) Attacking and Defending Web Service. A Spire Research Report
McIntosh M, Austel P (2005) XML signature element wrapping attacks and countermeasures. In: SWS ’05: Proceedings of the 2005 workshop on Secure web services, ACM Press, New York, NY, pp 20–27
Nadalin A, Kaler C, Monzillo R, Hallam-Baker P (2006) Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)
Needham RM (1994) Denial of service: an example. Commun ACM 37(11):42–46
Noga ML, Schott S, Löwe W (2002) Lazy XML processing. In: DocEng ’02: Proceedings of the 2002 ACM symposium on document engineering. ACM Press, New York, NY, pp 88–94
Schäfer G (2005) Sabotageangriffe auf Kommunikationsstrukturen: Angriffstechniken und Abwehrmaßnahmen. PIK 28:130–139
Smith A (2007) Under Attack, Over the Net. Time Magazine http://www.time.com/time/magazine/article/0,9171,1626744,00.html. Accessed 29 Apr 2009
The SAX Project (2002) Simple API for XML–SAX 2.0.1 http://www.saxproject.org. Accessed 29 Apr 2009
Weerawarana S, Curbera F, Leymann F, Storey T, Ferguson DF (2005) Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More. Prentice Hall PTR, Upper Saddle River
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was done while the authors were at the Department for Computer Science, University of Kiel, Germany.
CR subject classification
C.2 ; C.4 ; H.3.5 ; K.6.5
Rights and permissions
About this article
Cite this article
Jensen, M., Gruschka, N. & Herkenhöner, R. A survey of attacks on web services . Comp. Sci. Res. Dev. 24, 185–197 (2009). https://doi.org/10.1007/s00450-009-0092-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00450-009-0092-6