Analysis of Vulnerability Detection Tool for Web Services
Keywords:Web services, vulnerability identification, Benchmarking,
The demand of the web services requirement is increasing day by day, because of this the security of the web services was under risk. To prevent from distinct types of attacks the developer needs to select the vulnerability detection tools, since many tools are available in the market the major challenging task for the developer to find the best tool which suitable for his application requirements. The recent study shows that many vulnerability detection tools provide a low coverage as far as vulnerability detection and higher false positive rate. In this paper, proposed a benchmarking method to accessing and comparing the efficiency of vulnerability detection tools in the web service environment. This method was used to illustrate the two benchmarks for SQL injection and cross site scripting. The first one is depending on predefined set of web services and next one permits user to identify the workload (User defined web services). Proposed system used the open source and commercial tools to test the application with benchmarking standards. Result shows that the benchmarks perfectly depict the efficiency of vulnerability detection tools.
 G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Web Services: Concepts, Architectures and Applications. first ed., Springer, 2010.
 S. Christey and R.A. Martin, â€œVulnerability Type Distributions in CVE,â€ The MITRE Corporation. V1, 1 2007.
 J. Gray, â€œThe Benchmark Handbook: For Database and Transaction Processing Systemsâ€. Morgan Kaufmann Publishers Inc, 1993
 H. Madeira, M. Vieira, N. Antunes, â€œUsing Web Security Scanners to Detect Vulnerabilities in Web Services,â€ International Conference on Dependable Systems and Networks, Lisbon, Portugal, July 2009
 S. Fogie, J. Grossman, R. Hansen, A. Rager, and P.D. Petkov, XSS Attacks: Cross Site Scripting Exploits and Defense, Syngress Publishing, 2007.
 D. Stuttard and M. Pinto, The Web Application Hackerâ€™s Handbook.
 M. Vieira and N. Antunes, â€œComparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services,â€ Proc. 15th IEEE Pacific Rim Intâ€™l Symp. Dependable Computing (PRDC â€™09), pp. 301-306, 2009.
 J. Fonseca, H. Madeira, and M. Vieira, â€œTesting and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks,â€ Proc. Presented at the 13th Pacific Rim Intâ€™l Symposium on Dependable Computing (PRDC â€™07), pp. 365-372, 2007.
 Van Rijsbergen C.J., Information Retrieval. Buttersworth, 1979.
 G. Rothermel and H. Do, S. Elbaum, â€œSupporting Controlled Experimentation with Testing Techniques: An Infrastructure and its Potential Impact,â€ Empir. Softw. Eng., vol. 10, pp. 405â€“435, Oct. 2005.
 P. Trischberger, S. Wagner, C. Koller, and J. Jâ‚¬urjens, â€œComparing Bug Finding Tools with Reviews and Tests,â€ Proc. 17th Intâ€™l Conf. Testing of Communi. Systems, pp. 40-55, 2005.
 N. Antunes, N. Laranjeiro, M. Vieira, and H. Madeira, â€œEffective Detection of SQL/XPath Injection Vulnerabilities in Web Services,â€ Proc. IEEE Intâ€™l Conf. Services Computing (SCC â€™09), pp. 260-267, 2009.
 A. Orso and W.G.J. Halfond, â€œPreventing SQL Injection Attacks Using AMNESIA,â€ Proc. 28th Intâ€™l Conf. Software Eng., pp. 795-798, 2006.
 L. Spainhower and K. Kanoun, â€œDependability Benchmarking for Computer Systems. John Wiley & Sons-IEEE CS Pressâ€, 2008.
 H. Madeira and M. Vieira, â€œTowards a Security Benchmark for Database Management Systems,â€ Proc. Intâ€™l Conf. DSN â€™05, pp. 592-601, 2005.
 A.C. d. Ara_ujo Neto and M. Vieira, â€œSelecting Secure Web Applications Using Trustworthiness Benchmarking,â€ Intâ€™l J. Dependable and Trustworthy Information Systems, vol. 2, no. 2, pp. 1-16, 2011.
 HP WebInspect, 2008, http://www.hp.com
 M. Vieira and N. Antunes, â€œEnhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services,â€ Proc. IEEE Intâ€™l Conf. Services Computing (SCC), pp. 104-111, 2011.
 W. Nagy, F. Curbera and N. Mukhi â€œUnraveling the Web services Web: An Introduction to SOAP, WSDL, and UDDI,â€ IEEE Internet Computing, vol. 6, no. 2, pp. 86-93, Mar./Apr. 2002.
 G. McGraw and S. Stender â€œSoftware Penetration Testing,â€ IEEE Security & Privacy, pp. 84-87, Jan./Feb. 2005.
 J.D. Morgenthaler and N. Ayewah, â€œUsing Static Analysis to Find Bugs,â€ IEEE Software, vol. 25, pp. 22-29, Sept./Oct. 2008.
View Full Article:
How to Cite
LicenseAuthors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under aÂ Creative Commons Attribution Licensethat allows others to share the work with an acknowledgement of the work''s authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal''s published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (SeeÂ The Effect of Open Access).