Abstract :
With the wide application of service-oriented architecture and web service technology, the security requirements for web services is increasing. This paper presents a web services vulnerability identification and analysis method based on fuzz testing, including identifying inputs, generating fuzz testing data, performing fuzz testing, monitoring and identification of abnormal fragility, etc., thereby automatically identifies Web services architecture and performs fuzz testing. The low efficiency of abnormal data generation in web services fuzz testing is solved by using optimized grouping method, and the heavy work and inefficiency brought from manual testing can be avoided and the vulnerability of web services can be tested in depth. A web services vulnerability testing tool called WSFuzzer is implemented based on the proposed fuzz testing method, which implements the detection and analysis of web services vulnerabilities through the generation and execution of web services fuzz testing cases. Several vulnerabilities including SQL injection, information leakage, XPath injection are discovered by using WSFuzzer to carry out web services vulnerability fuzz testing, which shows that the proposed method can test web service vulnerabilities with high efficiency and accuracy.
