Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Authors:
Nuno Laranjeiro;Marco Vieira;Henrique Madeira
Affiliations:
CISUC, Department of Informatics Engineering, University of Coimbra, Portugal;CISUC, Department of Informatics Engineering, University of Coimbra, Portugal;CISUC, Department of Informatics Engineering, University of Coimbra, Portugal
Venue:
DEXA '09 Proceedings of the 20th International Conference on Database and Expert Systems Applications
Year:
2009

Citing 10
Cited 0

Unraveling the Web Services Web: An Introduction to SOAP, WSDL, and UDDI

IEEE Internet Computing
Design and code inspections to reduce errors in program development

Software pioneers
Finding bugs is easy

ACM SIGPLAN Notices
Service-Oriented Architecture: Concepts, Technology, and Design

Service-Oriented Architecture: Concepts, Technology, and Design
Preventing SQL injection attacks using AMNESIA

Proceedings of the 28th international conference on Software engineering
Finding security vulnerabilities in java applications with static analysis

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Using Automated Fix Generation to Secure SQL Statements

ICSEW '07 Proceedings of the 29th International Conference on Software Engineering Workshops
The web application hacker's handbook: discovering and exploiting security flaws

The web application hacker's handbook: discovering and exploiting security flaws
On automated prepared statement generation to remove SQL injection vulnerabilities

Information and Software Technology
Improving Web Services Robustness

ICWS '09 Proceedings of the 2009 IEEE International Conference on Web Services

Quantified Score

Hi-index	0.00

Visualization

Abstract

Web services represent a powerful interface for back-end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non-vulnerable web services is still a difficult task. In fact, security-related concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC-App benchmark, showing to be 100% effective in stopping attacks, non-intrusive and very easy to use.