Journal
ELECTRONIC NOTES IN THEORETICAL COMPUTER SCIENCE
Volume 302, Issue -, Pages 133-154Publisher
ELSEVIER SCIENCE BV
DOI: 10.1016/j.entcs.2014.01.024
Keywords
web services; cross-site scripting; XSS attack; penetration testing; fault injection; WS-Security; WSS; Security Token; soapUI; WSInject
Categories
Ask authors/readers for more resources
Due to its distributed and open nature, Web Services give rise to new security challenges. This technology is susceptible to Cross-site Scripting (XSS) attack, which takes advantage of existing vulnerabilities. The proposed approach makes use of two Security Testing techniques, namely Penetration Testing and Fault Injection, in order to emulate XSS attack against Web Services. This technology, combined with WS-Security (WSS) and Security Tokens, can identify the sender and guarantee the legitimate access control to the SOAP messages exchanged. We use the vulnerability scanner soapUI that is one of the most recognized tools of Penetration Testing. In contrast, WSInject is a new fault injection tool, which introduces faults or errors on Web Services to analyze the behavior in an environment not robust. The results show that the use of WSInject, in comparison to soapUI, improves the detection of vulnerability allows to emulate XSS attack and generates new types of them.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available