Protecting Database Centric Web Services against SQL/XPath Injection Attacks



Similar documents
Protecting Database Centric Web Services against SQL/XPath Injection Attacks

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Using Web Security Scanners to Detect Vulnerabilities in Web Services

The Devils Behind Web Application Vulnerabilities

Detecting SQL Injection Vulnerabilities in Web Services

Metrics, methods and tools to measure trustworthiness

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Learning objectives for today s session

Application Code Development Standards

SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

Detection and mitigation of Web Services Attacks using Markov Model

Rational AppScan & Ounce Products

Securing PHP Based Web Application Using Vulnerability Injection

ActiveVOS Server Architecture. March 2009

Integrigy Corporate Overview

Enterprise Application Designs In Relation to ERP and SOA

A clustering Approach for Web Vulnerabilities Detection

Integrating Web Application Security into the IT Curriculum

Six Strategies for Building High Performance SOA Applications

Distributed systems. Distributed Systems Architectures

IBM Rational AppScan: Application security and risk management

Research on the Model of Enterprise Application Integration with Web Services

Beeple, B-Pel, Beepul? Understanding BPEL and Its Role in SOA

SODDA A SERVICE-ORIENTED DISTRIBUTED DATABASE ARCHITECTURE

A Generic Database Web Service

Introduction to Service-Oriented Architecture for Business Analysts

Security for a Smarter Planet IBM Corporation All Rights Reserved.

Security Test s i t ng Eileen Donlon CMSC 737 Spring 2008

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Res. J. Appl. Sci. Eng. Technol., 8(5): , 2014

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Evaluation of Web Security Mechanisms Using Inline Scenario & Online Scenario

Bayesian Classification for SQL Injection Detection

SAST, DAST and Vulnerability Assessments, = 4

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

A Unified Messaging-Based Architectural Pattern for Building Scalable Enterprise Service Bus

Network Test Labs (NTL) Software Testing Services for igaming

How To Prevent An Sql Injection Attack

The Top Web Application Attacks: Are you vulnerable?

Middleware for Heterogeneous and Distributed Information Systems

Penetration Testing Workshop

Application Security Center overview

Air Force SOA Enterprise Service Bus Study Using Business Process Management Workflow Orchestration for C4I Systems Integration

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

(WAPT) Web Application Penetration Testing

Web Application Security

Oracle BPEL Nuts and Bolts

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

Automatic vs. Manual Code Analysis

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

JBoss security: penetration, protection and patching. David Jorm

IBM Rational Asset Manager

Strategic Information Security. Attacking and Defending Web Services

Using Free Tools To Test Web Application Security

Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

Getting started with API testing

How To Understand A Services-Oriented Architecture

WEB APPLICATION VULNERABILITY STATISTICS (2013)

HP Application Security Center

A Performance Comparison of Vulnerability Detection between Netclarity Auditor and Open Source Nessus

AUTOMATE CRAWLER TOWARDS VULNERABILITY SCAN REPORT GENERATOR

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Application security testing: Protecting your application and data

Java Program Vulnerabilities

An analysis on Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries

Web application security: automated scanning versus manual penetration testing.

JAVA/J2EE DEVELOPER RESUME

Passing PCI Compliance How to Address the Application Security Mandates

Goals. Understanding security testing

Web Application Security

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Chapter 4 IT Infrastructure and Platforms

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

What is it? What does it do? Benefits

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

An Effective Approach for Detecting and Preventing Sqlinjection Attacks

Analyses on functional capabilities of BizTalk Server, Oracle BPEL Process Manger and WebSphere Process Server for applications in Grid middleware

Web Application Report

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Manipulating Microsoft SQL Server Using SQL Injection

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts

Transcription:

Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal {cnl, mvieira, henrique}@dei.uc.pt Internal Report, 2009!

Protecting Database Centric Web Services against SQL/XPath Injection Attacks Nuno Laranjeiro, Marco Vieira, and Henrique Madeira CISUC, Department of Informatics Engineering University of Coimbra, Portugal {cnl, mvieira, henrique}@dei.uc.pt Abstract. Web services represent a powerful interface for back end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non vulnerable web services is still a difficult task. In fact, securityrelated concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC App benchmark, showing to be 100% effective in stopping attacks, non intrusive and very easy to use. Keywords: Web services, vulnerabilities, security attacks, SQL Injection, XPath Injection, code instrumentation. 1 Introduction Web services are now widely used to support many businesses, linking suppliers and clients in sectors such as banking and financial services, transportation, or automotive manufacturing, among others. Web services are self describing components that can be used by other software across the web in a platform independent manner, and are supported by standard protocols such as SOAP (Simple Object Access Protocol), WSDL (Web Services Description Language) and UDDI (Universal Description, Discovery, and Integration) [6]. In a service based environment, providers offer a set of services that frequently access a back end database and can be explored and used by service consumers. The web service technology provides a clear service interface for consumers, and this is frequently used to enable the aggregation of services in compositions. These compositions, frequently designated as business processes, are essentially a collection of services working together towards an objective [8]. The composition workflow (i.e., the sequencing and coordination of calls to component services) obviously introduces a degree of dependency between services, where a security failure in a component may compromise the whole composition.

A recent McKinsey report indicates web services and SOA as one of the most important trends in modern software development [20]. However, the wide use and exposure of web services results in any existing security vulnerability being most probably uncovered and exploited by hackers. In fact, command injection attacks (e.g., SQL or XPath injection) are frequent types of attacks in the web environment [24]. These attacks take advantage of improperly coded applications to change queries sent to a database, enabling, for instance, access to critical data. Vulnerabilities allowing SQL Injection and XPath injection attacks are particularly relevant in web services [30], as their exposure is high and they frequently use a data persistence solution [29] based either in a traditional relational database or in a XML database. Currently major database vendors and several open source efforts provide XML databases (e.g., Oracle XML DB, SQL Server 2008, Apache Xindice, etc.) and typically, the access to this type of databases uses XPath expressions. While the goal of XPath Injection is to maliciously explore any existing vulnerabilities in XPath expressions used by an application (for instance to access an XML database), SQL Injection tries to change the SQL statements in a similar manner [24]. Different techniques for the identification of security vulnerabilities have been proposed in the past [24], namely: Static vulnerability scanning: consists in analyzing the source code of the application looking for potential vulnerabilities. It is a white box approach that can be done manually or by using automated code analysis. Penetration testing: widely used technique that tries to disclose security vulnerabilities in web applications (including web services). The testing tool stresses the application from the point of view of the attacker ( black box approach) and tries to penetrate it by issuing a huge amount of interactions. Although web services are increasingly being used in complex business critical systems, current development support tools do not provide practical ways to protect applications against security attacks. In this paper, we present a phased approach that is able to: 1) learn the profile of regular client requests by transforming requests into invariant statements; 2) protect web service applications from SQL/XPath injection attacks by matching incoming requests with the valid set of codes previously learned. Note that this work focuses on source code vulnerabilities and not any specific security mechanisms, such as authentication and data encryption. In summary, our approach consists of the following major phases: Service assessment: An optional phase that characterizes the web service code in terms of security vulnerabilities. Penetration testing and static code analysis are used to identify any existing security vulnerabilities (e.g., web services code prone to SQL/XPath Injection); Statement learning: Consists of learning the profile of valid, non malicious data access statements. We provide automatable workload generation approach to create a set of invocations able to exercise the web service code, reaching as much data access statements as possible, and enriching the set of invariant statements learned by our framework; Service protection: The generation of a protective service wrapper that uses the outcome of the learning phase (a set of valid statements) to prevent the success of SQL/XPath injection attacks. All incoming requests are hashed 2

domains. As expected, no problem was identified, providing a strong indicator that our framework did not change the application s normal behavior. Additionally, we executed a final test to assess the performance impact related to the execution of the security system. As we were expecting small values, for the security improvement, we tested the worst case scenario found in the TPC App services and executed 100000 invocations using that worst case scenario. The security mechanism took on average 0,052 ms (± 0,029) to execute, less than 0,3% of the total time for the fastest executing service. In order to obtain such low measurements we used a Java method that provides nanosecond precision (but however does not guarantee nanosecond accuracy). In summary, our learning mechanism was able to stop all security attacks with a negligible overhead. This is a very significant result, as besides effectively securing the target application, it implied absolutely no extra effort from the developers that implemented the original services. 5 Conclusion Previous works on web application security have shown that SQL/XPath Injection attacks are extremely relevant in web service applications. This paper presents an approach for improving web services security. The proposed approach consists of learning the profile of valid data access statements (SQL and XPath) and using this profile to later prevent the execution of malicious client requests. The approach was illustrated using two different TPC App implementations. Various security issues were disclosed and corrected without additional development effort. In fact, while introducing an extremely low performance overhead, our approach proved to be 100% effective, as it was able to abort all attacks attempted in our experiments. During the whole experimental process, no extra complexity was added to the source code. In fact, as source code is not needed, the mechanism can also be used to easily protect legacy services, which would otherwise require a difficult to implement and hard to maintain procedure. These facts make it an extremely useful tool for developers and service administrators. References 1. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/vulnerability scanner/ 2. Atlassian Clover Code Coverage Analysis, http://www.atlassian.com/software/clover/. 3. Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. Proceedings of the 6th international conference on Generative programming and component engineering, Salzburg, Austria: ACM, pp. 3 12 (2007) 4. BrupSuite, http://portswigger.net/suite/ 5. Cobertura, http://cobertura.sourceforge.net/. 6. Curbera, F. et al.: Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI. Internet Computing, IEEE, vol. 6, pp. 86 93 (2002) 7. Databene benerator, http://databene.org/databene benerator 14

8. Erl, T.: Service Oriented Architecture: Concepts, Technology, and Design, Prentice Hall Professional Technical Reference (2005) 9. Fagan, M.: Design and code inspections to reduce errors in program development. Software pioneers: contributions to software engineering, Springer Verlag, Inc., pp. 575 607 (2002) 10. FORTIFY http://www.fortifysoftware.com/ 11. Gamja, http://lastlog.com/p4ssion/ 12. Halfond, W., Orso, A.: Preventing SQL injection attacks using AMNESIA. 28th international conference on Software engineering, Shanghai, China: ACM, pp. 795 798: 2006 13. Hovemeyer, D., Pugh, W. : Finding bugs is easy. ACM SIGPLAN Notices, vol. 39, pp. 92 106 (2004) 14. HP WebInspect, http://www.hp.com 15. IBM Rational AppScan, http://www 01.ibm.com/software/awdtools/appscan/ 16. Kiczales, G. et al.: Aspect Oriented Programming. 11th European Conf. on Objectoriented Programming (1997) 17. Laranjeiro, N., Vieira, M., Madeira, H.: EDEL and Security Improvement for Web Services. http://eden.dei.uc.pt/~cnl/papers/edel security tool.zip (2009) 18. Laranjeiro, N., Vieira, M.: Improving Web Services Robustness. Technical Report, http://eden.dei.uc.pt/~cnl/papers/2009 icws robustness submitted.pdf (2009) 19. Livshits, V., Lam, M.: Finding security vulnerabilities in java applications with static analysis. Proceedings of the 14th conference on USENIX Security Symposium Volume 14, Baltimore, MD: USENIX Association, pp. 18 18 (2005) 20. McKinsey&Company: Enterprise Software Customer Survey (2008) 21. Ounce, http://www.ouncelabs.com/ 22. Pixy, http://pixybox.seclab.tuwien.ac.at/pixy/ 23. Red Hat Middleware: JBoss Application Server, http://www.jboss.org/jbossas/ 24. Stuttard, D., Pinto, M.: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. Wiley, ISBN 10: 0470170778, (2007) 25. Sun Microsystems Inc.: JAX WS Reference Implementation, https://jax ws.dev.java.net/ 26. The Eclipse Foundation: The AspectJ Project. http://www.eclipse.org/aspectj/ (2008) 27. Thomas, S., Williams, L., Xie, T.: On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology, v. 51, pp. 589 598 (2009) 28. Thomas, S., Williams, L.: Using Automated Fix Generation to Secure SQL Statements, Third International Workshop on Software Engineering for Secure Systems (2007) 29. Transaction Processing Performance Council: TPC BenchmarkTM App (Application Server) Standard Specification, Version 1.1, http://www.tpc.org/tpc_app/ (2005) 30. Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. Intl. Conf. on Dependable Systems and Networks, Estoril, Lisbon (2009) 31. W3C: W3C XML Schema, http://www.w3.org/xml/schema (2008) 32. W3C: XQuery 1.0 and XPath 2.0 Functions and Operators, http://www.w3.org/tr/xqueryoperators/ (2008) 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information