Automated and effective testing of web services for XML injection attacks

Sadeeq Jan, Cu D. Nguyen, Lionel C. Briand

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

XML is extensively used in web services for integration and data exchange. Its popularity and wide adoption make it an attractive target for attackers and a number of XML-based attack types have been reported recently. This raises the need for cost-effective, automated testing of web services to detect XML-related vulnerabilities, which is the focus of this paper. We discuss a taxonomy of the types of XML injection attacks and use it to derive four different ways to mutate XML messages, turning them into attacks (tests) automatically. Further, we consider domain constraints and attack grammars, and use a constraint solver to generate XML messages that are both malicious and valid, thus making it more difficult for any protection mechanism to recognise them. As a result, such messages have a better chance to detect vulnerabilities. Our evaluation on an industrial case study has shown that a large proportion (78.86%) of the attacks generated using our approach could circumvent the first layer of security protection, an XML gateway (firewall), a result that is much better than what a state-of-the-art tool based on fuzz testing could achieve.

Original languageEnglish
Title of host publicationISSTA 2016 - Proceedings of the 25th International Symposium on Software Testing and Analysis
EditorsAbhik Roychoudhury, Andreas Zeller
PublisherAssociation for Computing Machinery, Inc
Pages12-23
Number of pages12
ISBN (Electronic)9781450343909
DOIs
Publication statusPublished - 18 Jul 2016
Externally publishedYes
Event25th International Symposium on Software Testing and Analysis, ISSTA 2016 - Saarbrucken, Germany
Duration: 18 Jul 201620 Jul 2016

Publication series

NameISSTA 2016 - Proceedings of the 25th International Symposium on Software Testing and Analysis

Conference

Conference25th International Symposium on Software Testing and Analysis, ISSTA 2016
Country/TerritoryGermany
CitySaarbrucken
Period18/07/1620/07/16

Keywords

  • Constraint solving
  • Security testing
  • XML injection

Fingerprint

Dive into the research topics of 'Automated and effective testing of web services for XML injection attacks'. Together they form a unique fingerprint.

Cite this