International Journal of Information Security

, Volume 16, Issue 4, pp 435–457 | Cite as

Designing vulnerability testing tools for web services: approach, components, and tools

  • Nuno AntunesEmail author
  • Marco Vieira
Regular Contribution


This paper proposes a generic approach for designing vulnerability testing tools for web services, which includes the definition of the testing procedure and the tool components. Based on the proposed approach, we present the design of three innovative testing tools that implement three complementary techniques (improved penetration testing, attack signatures and interface monitoring, and runtime anomaly detection) for detecting injection vulnerabilities, thus offering an extensive support for different scenarios. A case study has been designed to demonstrate the tools for the particular case of SQL Injection vulnerabilities. The experimental evaluation demonstrates that the tools can effectively be used in different scenarios and that they outperform well-known commercial tools by achieving higher detection coverage and lower false-positive rates.


Software vulnerabilities Vulnerability detection Security testing Web services 



This work has been partially supported by the project CErtification of CRItical Systems (, CECRIS), Marie Curie Industry-Academia Partnerships and Pathways (IAPP) number 324334, within the context of the EU Seventh Framework Programme (FP7).


  1. 1.
    Alonso, G.: Web Services: Concepts, Architectures and Applications. Springer Verlag, Berlin (2004)CrossRefzbMATHGoogle Scholar
  2. 2.
    Christey, S., Martin, R.A.: Vulnerability type distributions in CVE, V1. 0 10, 04 (2006)Google Scholar
  3. 3.
    Zanero, S., Carettoni, L., Zanchetta, M.: Automatic Detection of Web Application Security Flaws, Black Hat Briefings (2005)Google Scholar
  4. 4.
    Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: IEEE/IFIP International Conference on Dependable Systems & Networks, DSN’09. (Estoril, Lisbon, Portugal, 2009), pp. 566–571 (2009). doi: 10.1109/DSN.2009.5270294
  5. 5.
    Council, T.P.P.: TPC BenchmarkTM App (application server) Standard Specification, Version 1.3. (2008)
  6. 6.
    Meier, W.: Web, Web-Services, and Database Systems. In: Chaudhri, A.B., Jeckle, M., Rahm, E., Unland, R. (ed.) No. 2593 in Lecture Notes in Computer Science, pp. 169–183. Springer, Berlin Heidelberg (2003)Google Scholar
  7. 7.
    Fonseca, J., Vieira, M., Madeira, H.: Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007) (Melbourne, Australia, 2007), pp. 365–372 (2007). doi: 10.1109/PRDC.2007.55
  8. 8.
    Antunes, N., Vieira, M.: Benchmarking Vulnerability Detection Tools for Web Services. In: IEEE Eighth International Conference on Web Services (ICWS 2010) (Miami, Florida, 2010), pp. 203–210 (2010). doi: 10.1109/ICWS.2010.76
  9. 9.
    Antunes, N., Vieira, M.: Detecting SQL Injection Vulnerabilities in Web Services. In: Fourth Latin-American Symposium on Dependable Computing 2009 (LADC ’09), pp. 17–24. IEEE Computer Society, Joao Pessoa, Brazil (2009). doi: 10.1109/LADC.2009.21
  10. 10.
    Antunes, N., Vieira, M.: Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services. In: 2011 IEEE International Conference on Services Computing (SCC) (IEEE, 2011), pp. 104–111 (2011). doi: 10.1109/SCC.2011.67
  11. 11.
    Antunes, N., Laranjeiro, N., Vieira, M., Madeira, H.: Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services. In: 2009 IEEE International Conference on Services Computing (SCC 2009) (Bangalore, India, 2009), pp. 260–267 (2009). doi: 10.1109/SCC.2009.23
  12. 12.
    Chappell, D.A., Jewell, T.: Java Web Services. O’Reilly & Associates Inc, Sebastopol (2002)Google Scholar
  13. 13.
    Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web Service Definition Language (WSDL) 1.1. (2001)
  14. 14.
    Richardson, L., Ruby, S.: RESTful Web Services. O’Reilly Media, Inc, Sebastopol (2007)Google Scholar
  15. 15.
    OWASP Foundation, OWASP top 10 2013. Tech. rep., Open Web Application Security Project (2013)Google Scholar
  16. 16.
    Foundation, O.: Open Web Application Security Project. (2001)
  17. 17.
    Acunetix. 70 % of Websites at Immediate Risk of Being Hacked! (2007)
  18. 18.
    NTA Monitor, Annual Web Application Security Report. Tech. rep. (2011)Google Scholar
  19. 19.
    Stuttard, D., Pinto, M.: The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws. Wiley, Hoboken (2007)Google Scholar
  20. 20.
    Fogie, S., et al.: XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing, Burlington (2007)Google Scholar
  21. 21.
    Jensen, M., Gruschka, N., Herkenhoner, R., Luttenberger, N.: SOA and Web Services: New Technologies, New Standards—New Attacks. In: Fifth European Conference on Web Services. ECOWS ’07, pp. 35–44 (2007)Google Scholar
  22. 22.
    OWASP Testing Project: Testing for web services—OWASP testing guide v3. Tech. rep, Open Web Application Security Project (2008)Google Scholar
  23. 23.
    Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the Art: Automated Black-box Web Application Vulnerability Testing. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 332–345 (2010)Google Scholar
  24. 24.
    I.C.S.S.S.E.S. Committee, 1012-2012—IEEE Standard for System and Software Verification and Validation, IEEE standard 1012-2012 edn. (IEEE Computer Society)Google Scholar
  25. 25.
    Myers, G.J., Sandler, C., Badgett, T.: The Art of Software Testing. Wiley, Hoboken (2011)Google Scholar
  26. 26.
  27. 27.
    IBM. IBM Rational AppScan. (2008)
  28. 28.
    Acunetix. Acunetix Web Vulnerability Scanner. (2008)
  29. 29.
    I. Foundstone. Foundstone WSDigger. (2005)
  30. 30.
    OWASP Foundation. OWASP WSFuzzer Project. (2008)
  31. 31.
    Huang, Y., Huang, S., Lin, T., Tsai, C.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. In: Proceedings of the 12th International Conference on World Wide Web (ACM, Budapest, Hungary, 2003), pp. 148–159 (2003)Google Scholar
  32. 32.
    Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: Proceedings of the 15th International Conference on World Wide Web (ACM, New York, NY, 2006), p. 247256 (2006). doi: 10.1145/1135777.1135817
  33. 33.
    Doup, A., Cova, M., Vigna, G.: In: Detection of Intrusions and Malware, and Vulnerability Assessment. no. 6201 in Lecture Notes in Computer Science (Springer Berlin Heidelberg, 2010), pp. 111–131 (2010)Google Scholar
  34. 34.
    Doliner, M.: Cobertura. (2006)
  35. 35.
    Atlassian. Clover—Code Coverage for Java. (2010)
  36. 36.
    Balzarotti, D., et al.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: IEEE Symposium on Security and Privacy. SP 2008, 66, pp. 387–401 (2008). doi: 10.1109/SP.2008.22
  37. 37.
    Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications, In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’06, 41 (ACM, New York, NY, 2006), POPL ’06, p. 372382 (2006). doi: 10.1145/1111037.1111070
  38. 38.
    Halfond, W., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, p. 183 (2005)Google Scholar
  39. 39.
    Laranjeiro, N., Vieira, M., Madeira, H.: A Technique for Deploying Robust Web Services. IEEE Transactions on Services Computing PP(99), 1 (2012). doi: 10.1109/TSC.2012.39
  40. 40.
    Kaner, C.: Software Negligence and Testing Coverage. In: Proceedings of STAR 96: The Fifth International Conference on Software Testing Analysis and Review (Orlando, FL, 1996), pp. 299–327 (1996)Google Scholar
  41. 41.
    Kindy, D., Pathan, A.S.: A Survey on SQL Injection: Vulnerabilities, Attacks, and Prevention Techniques. In: 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), pp. 468–471 (2011). doi: 10.1109/ISCE.2011.5973873
  42. 42.
    Vieira, M., Laranjeiro, N., Madeira, H.: Assessing Robustness of Web-services Infrastructures. In: 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN’07, pp. 131–136 (2007)Google Scholar
  43. 43.
    eviware. soapUI. (2008)
  44. 44.
    Shema, M.: Seven Deadliest Web Application Attacks. Syngress, Burlington (2010)Google Scholar
  45. 45.
    Halfond, W.G., Viegas, J., Orso, A.: A Classification of SQL-injection Attacks and Countermeasures. In: International Symposium on Secure Software Engineering (2006)Google Scholar
  46. 46.
    Antunes, N., Vieira, M.: Vulnerability Testing Tools for Web Services. (2013)
  47. 47.
    Sabhnani, M., Serpen, G.: Why Machine Learning Algorithms Fail in Misuse Detection on KDD Intrusion Detection Data Set. Intelligent Data Analysis 8(4), 403–415 (2004)Google Scholar
  48. 48.
    Kiczales, G.J., et al.: Aspect-oriented programming. US Patent 6,467,086 (2002)Google Scholar
  49. 49.
    Reese, G., Oram, A.: Database Programming with JDBC and JAVA. O’Reilly & Associates, Inc., Sebastopol (2000)Google Scholar
  50. 50.
    Transaction Processing Performance Council. Transaction processing performance council. (2009)

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Department of Informatics EngineeringUniversity of CoimbraCoimbraPortugal

Personalised recommendations