Analysis of Vulnerability Detection Tool for Web Services
-
2018-07-20 https://doi.org/10.14419/ijet.v7i3.12.16499 -
Web services, vulnerability identification, Benchmarking, -
Abstract
The demand of the web services requirement is increasing day by day, because of this the security of the web services was under risk. To prevent from distinct types of attacks the developer needs to select the vulnerability detection tools, since many tools are available in the market the major challenging task for the developer to find the best tool which suitable for his application requirements. The recent study shows that many vulnerability detection tools provide a low coverage as far as vulnerability detection and higher false positive rate. In this paper, proposed a benchmarking method to accessing and comparing the efficiency of vulnerability detection tools in the web service environment. This method was used to illustrate the two benchmarks for SQL injection and cross site scripting. The first one is depending on predefined set of web services and next one permits user to identify the workload (User defined web services). Proposed system used the open source and commercial tools to test the application with benchmarking standards. Result shows that the benchmarks perfectly depict the efficiency of vulnerability detection tools.
Â
-
References
[1] G. Alonso, F. Casati, H. Kuno, and V. Machiraju, Web Services: Concepts, Architectures and Applications. first ed., Springer, 2010.
[2] S. Christey and R.A. Martin, “Vulnerability Type Distributions in CVE,†The MITRE Corporation. V1, 1 2007.
[3] J. Gray, “The Benchmark Handbook: For Database and Transaction Processing Systemsâ€. Morgan Kaufmann Publishers Inc, 1993
[4] https://www.checkmarx.com/2017/12/03/closer-look-owasp-top-10-application-security-risks/
[5] H. Madeira, M. Vieira, N. Antunes, “Using Web Security Scanners to Detect Vulnerabilities in Web Services,†International Conference on Dependable Systems and Networks, Lisbon, Portugal, July 2009
[6] S. Fogie, J. Grossman, R. Hansen, A. Rager, and P.D. Petkov, XSS Attacks: Cross Site Scripting Exploits and Defense, Syngress Publishing, 2007.
[7] D. Stuttard and M. Pinto, The Web Application Hacker’s Handbook.
[8] M. Vieira and N. Antunes, “Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services,†Proc. 15th IEEE Pacific Rim Int’l Symp. Dependable Computing (PRDC ’09), pp. 301-306, 2009.
[9] J. Fonseca, H. Madeira, and M. Vieira, “Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks,†Proc. Presented at the 13th Pacific Rim Int’l Symposium on Dependable Computing (PRDC ’07), pp. 365-372, 2007.
[10] Van Rijsbergen C.J., Information Retrieval. Buttersworth, 1979.
[11] G. Rothermel and H. Do, S. Elbaum, “Supporting Controlled Experimentation with Testing Techniques: An Infrastructure and its Potential Impact,†Empir. Softw. Eng., vol. 10, pp. 405–435, Oct. 2005.
[12] P. Trischberger, S. Wagner, C. Koller, and J. J€urjens, “Comparing Bug Finding Tools with Reviews and Tests,†Proc. 17th Int’l Conf. Testing of Communi. Systems, pp. 40-55, 2005.
[13] N. Antunes, N. Laranjeiro, M. Vieira, and H. Madeira, “Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services,†Proc. IEEE Int’l Conf. Services Computing (SCC ’09), pp. 260-267, 2009.
[14] A. Orso and W.G.J. Halfond, “Preventing SQL Injection Attacks Using AMNESIA,†Proc. 28th Int’l Conf. Software Eng., pp. 795-798, 2006.
[15] L. Spainhower and K. Kanoun, “Dependability Benchmarking for Computer Systems. John Wiley & Sons-IEEE CS Pressâ€, 2008.
[16] H. Madeira and M. Vieira, “Towards a Security Benchmark for Database Management Systems,†Proc. Int’l Conf. DSN ’05, pp. 592-601, 2005.
[17] A.C. d. Ara_ujo Neto and M. Vieira, “Selecting Secure Web Applications Using Trustworthiness Benchmarking,†Int’l J. Dependable and Trustworthy Information Systems, vol. 2, no. 2, pp. 1-16, 2011.
[18] HP WebInspect, 2008, http://www.hp.com
[19] https://www.acunetix.com/vulnerability-scanner/
[20] M. Vieira and N. Antunes, “Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services,†Proc. IEEE Int’l Conf. Services Computing (SCC), pp. 104-111, 2011.
[21] W. Nagy, F. Curbera and N. Mukhi “Unraveling the Web services Web: An Introduction to SOAP, WSDL, and UDDI,†IEEE Internet Computing, vol. 6, no. 2, pp. 86-93, Mar./Apr. 2002.
[22] G. McGraw and S. Stender “Software Penetration Testing,†IEEE Security & Privacy, pp. 84-87, Jan./Feb. 2005.
[23] J.D. Morgenthaler and N. Ayewah, “Using Static Analysis to Find Bugs,†IEEE Software, vol. 25, pp. 22-29, Sept./Oct. 2008.
-
Downloads
-
How to Cite
Preethi K, S., & A, M. (2018). Analysis of Vulnerability Detection Tool for Web Services. International Journal of Engineering & Technology, 7(3.12), 773-778. https://doi.org/10.14419/ijet.v7i3.12.16499Received date: 2018-07-29
Accepted date: 2018-07-29
Published date: 2018-07-20