Title :
Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services
Author :
Antunes, Nuno ; Laranjeiro, Nuno ; Vieira, Marco ; Madeira, Henrique
Author_Institution :
Dept. of Inf. Eng., Univ. of Coimbra, Coimbra, Portugal
Abstract :
This paper proposes a new automatic approach for the detection of SQL Injection and XPath Injection vulnerabilities, two of the most common and most critical types of vulnerabilities in Web services. Although there are tools that allow testing Web applications against security vulnerabilities, previous research shows that the effectiveness of those tools in Web services environments is very poor. In our approach a representative workload is used to exercise the Web service and a large set of SQL/XPath injection attacks are applied to disclose vulnerabilities. Vulnerabilities are detected by comparing the structure of the SQL/XPath commands issued in the presence of attacks to the ones previously learned when running the workload in the absence of attacks. Experimental evaluation shows that our approach performs much better than known tools (including commercial ones), achieving extremely high detection coverage while maintaining the false positives rate very low.
Keywords :
SQL; Web services; program testing; security of data; SQL injection vulnerabilities; Web services; XPath injection vulnerabilities; security vulnerabilities; Data security; Informatics; Pattern analysis; Performance analysis; Performance evaluation; Relational databases; Runtime; Stress; Testing; Web services;
Conference_Titel :
Services Computing, 2009. SCC '09. IEEE International Conference on
Conference_Location :
Bangalore
Print_ISBN :
978-1-4244-5183-8
Electronic_ISBN :
978-0-7695-3811-2
DOI :
10.1109/SCC.2009.23
