A Security Attack Risk Assessment for Web Services Based on Data Schemas and Semantics

Conference paper
First Online:
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 210)

Abstract

Security concerns have been raised by Web services providers and consumers since Web services are vulnerable to various security attacks including counterfeiting, disclosure, tampering, disruption, and breach of information. In particular, Web services can be vulnerable if the schemas of the input data are not strong, giving way to security attacks like command injection and denial of service. This chapter proposes an initial assessment of security attack risks for Web services. The assessment begins with an analysis of the input data schemas that are described in the service WSDL document to determine if they are unconstrained and at risk of command injection and denial of service attacks. Then we determine if such a risk can be mitigated by making use of semantic information that is annotated to the input data elements within the WSDL. If the semantic annotation is stronger than the schema elements themselves, we refer to the case of weak interface design in which a redesign of the service interface with stronger schemas should help reduce attack risks. We also propose a risk assessment model for determining quantitatively the attack risk level of a Web service to guide the provider when considering schema hardening as well as the consumer when selecting between different services.

Keywords

Risk assessment Security attacks Web services Ontology 
This is a preview of subscription content, log in to check access.

References

  1. 1.
    W3C (2007) Web services description language (WSDL) version 2.0 part 0: primer. http://www.w3.org/TR/wsdl20-primer/
  2. 2.
    W3C (2004) XML schema part 2: datatypes second edition. http://www.w3.org/TR/xmlschema-2/
  3. 3.
    W3C (2007) Semantic annotations for WSDL and XML schema. http://www.w3.org/TR/sawsdl/
  4. 4.
    Yu WD, Aravind D, Supthaweesuk P (2006) Software vulnerability analysis for Web services software systems. In: Proceedings of 11th IEEE symposium on computers and communications (ISCC 2006), pp 740–748Google Scholar
  5. 5.
    Pang J, Peng X (2009) Trustworthy web service security risk assessment research. In: Proceedings of international forum on information technology and applications, pp 417–420Google Scholar
  6. 6.
    Jiang L, Chen H, Deng F, Zhong Q (2011) A security evaluation method based on threat classification for Web service. J Softw 6(4):595–603Google Scholar
  7. 7.
    Banklongsi T, Senivongse T (2011) A security measurement model for web services based on provision of attack countermeasures. In: Proceedings of 15th international annual symposium on computational science and engineering (ANSCSE15), pp 593–598Google Scholar
  8. 8.
    Mitre.org (2012) Common attack pattern enumeration and classification (CAPEC) release 1.7.1. http://capec.mitre.org/
  9. 9.
    Hanna S, Munro M (2008) Fault-based web services testing. In: Proceedings of 5th international conference on information technology: new generations, pp 471–476Google Scholar
  10. 10.
    Brinhosa RB, Westphall CM, Westphall CB (2012) Proposal and development of the web services input validation model. In: Proceedings of 2012 IEEE network operations and management symposium (NOMS 2012), pp 643–646Google Scholar
  11. 11.
    W3C (2009) OWL 2 web ontology language primer. http://www.w3.org/TR/owl2-primer/
  12. 12.
    Antunes N, Laranjeiro N, Vieira M, Madeira H (2009) Effective detection of SQL/XPath injection vulnerabilities in web services. In: Proceedings of 2009 IEEE international conference on services computing (SCC 2009), pp 260–267Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Software Engineering Program, Department of Computer Engineering, Faculty of EngineeringChulalongkorn UniversityPathumwanThailand

Personalised recommendations