Enhancing penetration testing with attack signatures and interface monitoring for the detection of injection vulnerabilities in web services

Proceedings - 2011 IEEE International Conference on Services Computing, SCC 2011

Volumn , Issue , 2011, Pages 104-111

  Antunes, Nuno ^a   Vieira, Marco ^a  

^a UNIVERSITY OF COIMBRA   (Portugal)

Author keywords

Attack signatures; Interface monitoring; Penetration testing; Security; Vulnerability detection; Web services

Indexed keywords

ATTACK SIGNATURE; CRITICAL SOFTWARE; DETECTION COVERAGE; DEVELOPMENT SCENARIOS; EXPERIMENTAL EVALUATION; FALSE POSITIVE; INTERNAL STATE; PENETRATION TESTING; PROTOTYPE TOOLS; SECURITY; SQL INJECTION; VULNERABILITY DETECTION;

NETWORK SECURITY; PROGRAM DEBUGGING; SOFTWARE TESTING; USER INTERFACES;

WEB SERVICES;

EID: 80053169173     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SCC.2011.67     Document Type: Conference Paper

References (28)

1. S. Christey and R.A. Martin, "Vulnerability type distributions in CVE," V1. 0, vol. 10, 2006, p. 04.
2. S. Zanero, L. Carettoni, and M. Zanchetta, "Automatic Detection of Web Application Security Flaws," Black Hat Briefings, 2005.
3. D.A. Chappell and T. Jewell, Java Web Services, Sebasto-pol, CA, USA: O'Reilly & Associates, Inc., 2002.
4. E. Christensen, F. Curbera, G. Meredith, and S. Weerawa-rana, "Web Service Definition Language (WSDL) 1.1," World Wide Web Consortium (W3C) Available: http://www.w3.org/TR/wsdl.
5. L. Richardson and S. Ruby, RESTful web services, O'Reilly Media, Inc., 2007.
6. M. Vieira, N. Antunes, and H. Madeira, "Using web security scanners to detect vulnerabilities in web services," IEEE/IFIP International Conference on Dependable Systems & Networks, 2009, 2009, pp. 566-571.
7. D. Stuttard and M. Pinto, The web application hacker's handbook: discovering and exploiting security flaws, Wiley Publishing, Inc., 2007.
8. A. Petukhov and D. Kozlov, "Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing," Proceedings of the Application Security Conference, 2008.
9. N. Antunes, N. Laranjeiro, M. Vieira, and H. Madeira, "Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services," IEEE International Conference on Services Computing, Bangalore, India: 2009, pp. 260-267.
10. WASC, "Web Application Security Consortium - Classes of Attacks" Available: http://www.webappsec.org/projects/threat/classes-of- attack.shtml.
11. Acunetix, "Acunetix Web Vulnerability Scanner" Available: http://www.acunetix.com/vulnerability-scanner/.
12. IBM, "IBM Rational AppScan" Available: http://www-01.ibm.com/ software/awdtools/appscan/.
13. HP, "HP WebInspect" Available: https://h10078.www1.hp.com/cda/ hpms/display/main/hpms-content.jsp?zn=bto&cp=1-11-201-200%5E9570-4000-100-.
14. Foundstone, Inc., "Foundstone WSDigger," Foundstone Free Tools Available: http://www.foundstone.com/us/resources/proddesc/wsdigger.htm.
15. OWASP Foundation, "OWASP WSFuzzer Project" Available: http://www.owasp.org/index.php/Category:OWASP-WSFuzzer-Project.
16. J. Fonseca, M. Vieira, and H. Madeira, "Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks," 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), Melbourne, Australia: 2007, pp. 365-372.
17. Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, "Web application security assessment by fault injection and behavior monitoring," Proceedings of the 12th international conference on World Wide Web, Budapest, Hungary: ACM, 2003, pp. 148-159.
18. N. Antunes and M. Vieira, "Detecting SQL Injection Vulnerabilities in Web Services," Fourth Latin-American Symposium on Dependable Computing, Joao Pessoa, Brazil: IEEE Computer Society, 2009, pp. 17-24.
19. W.G.J. Halfond, S.R. Choudhary, and A. Orso, "Penetration testing with improved input vector identification," International Conference on Software Testing Verification and Validation, 2009. ICST'09., 2009, p. 346-355.
20. N. Antunes and M. Vieira, "Attack Signatures and Interface Monitoring to Detect Injection Vulnerabilities in Web Services" Available: http://eden.dei.uc.pt/~mvieira/signws.zip.
21. M. Sabhnani and G. Serpen, "Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set," Intelligent Data Analysis, vol. 8, 2004.
22. F. Fuentes and D.C. Kar, "Ethereal vs. Tcpdump: a comparative study on packet sniffing tools for educational purpose," Journal of Computing Sciences in Colleges, vol. 20, 2005, p. 169-176.
23. LittleShoot, "LittleProxy HTTP Proxy" Available: http://www.littleshoot.org/littleproxy/.
24. G.J. Kiczales, J.O. Lamping, C.V. Lopes, J.J. Hugunin, E.A. Hilsdale, and C. Boyapati, Aspect-oriented programming, Google Patents, 2002.
25. G. Reese and A. Oram, Database Programming with JDBC and JAVA, O'Reilly & Associates, Inc. Sebastopol, CA, USA, 2000.
26. N. Antunes and M. Vieira, "Benchmarking Vulnerability Detection Tools for Web Services," IEEE Eighth International Conference on Web Services (ICWS 2010), Miami, Florida, USA: 2010, pp. 203-210.
27. M.R. Lyu, ed., Handbook of software reliability engineering, Hightstown, NJ, USA: McGraw-Hill, Inc., 1996.
28. Campwood Software, "SourceMonitor Version 2.5" Available: http://www.campwoodsw.com/sourcemonitor.html.