A Validation Model of Data Input for Web Services
0 likes1,181 views
This document presents a Validation Model of Data Input (WSIVM) for Web Services to address security issues like SQL injection and cross-site scripting attacks. WSIVM uses an XML schema, specification and validation module to sanitize input according to the schema before it is processed. The model was implemented using Apache Tomcat, Axis2 and intercepts SOAP messages for validation. A case study testing a student registration service saw validation reduce response times by 52% and number of database insertions by 49%. The model provides a reusable mechanism for validation to enhance web service security.
![Related WorkRelated Work
• Lack of input validation is a major cause of Web
application attacks
– SANS, 2011: The Top Cyber Security Risks
– OWASP 2010: OWASP top 10 Web application
security risks
– [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo– [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo
vadis? A study of the evolution of input
validation vulnerabilities in Web applications”
• Few specific mechanisms for Web Services
• [N. A. Nordbotten, 2009] [L. Sun and Y. Li, 2008]
use XML security technologies (encryption)
6](https://image.slidesharecdn.com/icn2013slides-150312090533-conversion-gate01/85/A-Validation-Model-of-Data-Input-for-Web-Services-6-320.jpg)
![Related WorkRelated Work
• WS-Security Wrapper: is an intermediate between
the Web service and the client; is an adapter
program that converts plain XML exchanges to and
from SOAP with WS-Security (XML signature and
encryption). It does not include features such as
validation of predefined data entries
• [J. Lin and J. Chen, 2009]• [J. Lin and J. Chen, 2009]
– Collects web pages (crawler), identify weak
points and test them
– insert the input validation (meta-programs) on
the server side, acting as a web application
firewall
– many false positives with blacklist approach
7](https://image.slidesharecdn.com/icn2013slides-150312090533-conversion-gate01/85/A-Validation-Model-of-Data-Input-for-Web-Services-7-320.jpg)
![Related WorkRelated Work
• IAPF (Integrated Application and Protocol Framework)
[N. Sidharth and J. Liu, 2007]:
– Protection in UDDI, WSDL, SOAP (WS-Sec)
• XML firewall:
– [A. Blyth, 2009] is concerned with validation of– [A. Blyth, 2009] is concerned with validation of
the structure of XML content but not the
content itself
– [Y. Loh, W. Yau, C. Wong, and W. Ho, 2006]
mentions protection against SQL injection
through an XML schema and a precompiled
blacklist of SQL commands, an approach which
tends to produce many false positives
8](https://image.slidesharecdn.com/icn2013slides-150312090533-conversion-gate01/85/A-Validation-Model-of-Data-Input-for-Web-Services-8-320.jpg)
A Validation Model of Data Input for Web Services
- 1. A Validation Model of Data Input for Web Services Rafael B. Brinhosa, Carla M. Westphall, Carlos B. Westphall, Daniel R. dos Santos, Fábio Grezele The Twelfth International Conference on Networks - ICN 2013 January 27 - February 1, 2013 - Seville, Spain Westphall, Daniel R. dos Santos, Fábio Grezele Post Graduation Program in Computer Science Federal University of Santa Catarina { brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br 1
- 2. Content at a GlanceContent at a Glance • Introduction and Related Works • Security Issues in Web Services • A Validation Model of Data Input for Web Service (WSIVM)Service (WSIVM) • Implementation Results – Development – Case Study • Conclusions and Future Works 2
- 3. • SOA is based on web services but there are security related concerns • The lack of proper input validation is a major cause of data breaches and Web application attacks IntroductionIntroduction • Application attacks: SQL injection and cross-site scripting (XSS) Web Services Input Validation Model: an XML schema, an XML specification and a module for performing input validation according to the schema 3
- 4. IntroductionIntroduction –– Web ServicesWeb Services Find Web services which meet certain requirements (Universal Description, Discovery and Integration) Services describe their own properties and methodsproperties and methods (Web Services Description Language) Format of requests(client) and responses (server) (Simple Object Access Protocol) Message transfer protocol (Hypertext Transfer Protocol) 4
- 5. IntroductionIntroduction –– Web ServicesWeb Services Figure available from: http://gdp.globus.org/gt4-tutorial 5
- 6. Related WorkRelated Work • Lack of input validation is a major cause of Web application attacks – SANS, 2011: The Top Cyber Security Risks – OWASP 2010: OWASP top 10 Web application security risks – [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo– [T. Scholte, D. Balzarotti, E. Kirda, 2011] - “Quo vadis? A study of the evolution of input validation vulnerabilities in Web applications” • Few specific mechanisms for Web Services • [N. A. Nordbotten, 2009] [L. Sun and Y. Li, 2008] use XML security technologies (encryption) 6
- 7. Related WorkRelated Work • WS-Security Wrapper: is an intermediate between the Web service and the client; is an adapter program that converts plain XML exchanges to and from SOAP with WS-Security (XML signature and encryption). It does not include features such as validation of predefined data entries • [J. Lin and J. Chen, 2009]• [J. Lin and J. Chen, 2009] – Collects web pages (crawler), identify weak points and test them – insert the input validation (meta-programs) on the server side, acting as a web application firewall – many false positives with blacklist approach 7
- 8. Related WorkRelated Work • IAPF (Integrated Application and Protocol Framework) [N. Sidharth and J. Liu, 2007]: – Protection in UDDI, WSDL, SOAP (WS-Sec) • XML firewall: – [A. Blyth, 2009] is concerned with validation of– [A. Blyth, 2009] is concerned with validation of the structure of XML content but not the content itself – [Y. Loh, W. Yau, C. Wong, and W. Ho, 2006] mentions protection against SQL injection through an XML schema and a precompiled blacklist of SQL commands, an approach which tends to produce many false positives 8
- 9. • WSDL scanning: to reveal sensitive information about invocation patterns, underlying technology implementations • Serious and important data manipulation attacks: SQL injection and XSS • Normal firewalls, antivirus and using WS-Security Security Issues in Web ServicesSecurity Issues in Web Services • Normal firewalls, antivirus and using WS-Security standards are not able to protect web services against SQL injection and XSS attacks 9
- 10. Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK ApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request SQL query DB TableHTTP response "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 Account: SKU: Account: SKU: SQL InjectionSQL Injection –– IllustratedIllustrated Firewall Hardened OS Web Server App Server Firewall NetworkLayer 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 10
- 11. • SQL Injection: by sending SOAP requests with properly handled parameters, for example, “'"1=1 –” as a parameter for a particular service Security Issues in Web ServicesSecurity Issues in Web Services ERROR: The query was not accomplished. Description: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server versionmanual that corresponds to your MySQL server version for the right syntax to use near '1=1'' at line 1 Line 11: Incorrect syntax near '')) or ItemId in (select ItemId from dbo.GetItemParents('4''. Unclosed quotation mark before the character string ')) ) ) > 0 ‘ 11
- 12. Heartland Payment SystemsHeartland Payment Systems 12Available from: http://www.databreaches.net/?p=7691
- 13. Heartland Payment SystemsHeartland Payment Systems Available from: http://www.wired.com/images_blogs/threatlevel/2009/08/gonzalez.pdf 13
- 14. CrossCross--Site Scripting IllustratedSite Scripting Illustrated Application with stored XSS vulnerability Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Administration Transactions Communication Knowledge Commerce Bus.Functions 3 2 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the DOM and cookies Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 14
- 15. • XSS: by presenting unvalidated data directly to the user, Web services can be attacked. Using, for example, the command document.write(xmlhttp.responseText), if the answer to this AJAX (Asynchronous JavaScript and XML) call made to a Web service contains HTML Security Issues in Web ServicesSecurity Issues in Web Services XML) call made to a Web service contains HTML and JavaScript data, these data will be interpreted and executed, posing a risk to the user 15
- 16. • Validate input data to provide security for Web Services. Controls on the lexical and syntactic aspects, type checking • Best way to avoid attacks: whitelist input validation (sanitization - change input into an acceptable format) WSIVMWSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model 16
- 17. WSIVMWSIVM –– Web Services Input Validation ModelWeb Services Input Validation Model 17
- 18. WSIVMWSIVM –– DevelopmentDevelopment • Apache Tomcat Web server • Apache Axis2 framework for SOAP messages • To implement the validation module for Apache Axis2 the Rampart module was used • It was chosen to intercept the message in the phase PreDispatchphase PreDispatch • WSIVMXMLSchema, WSIVMXMLSpecification, and WSIVM Rampart module 18
- 19. OperationName: the name of the operation SanitizeOperation: defines whether the parameters of this operation can be reformulated if necessary for the removal of characters that are not accepted ParamName: the name of the parameter or field Allowed: an allowed field type, which is valid (text, html, html+java-script, email, number, and all) WSIVMWSIVM –– WSIVMXMLSpecificationWSIVMXMLSpecification html+java-script, email, number, and all) Length: specifies the exact size of the field Maxsize: specifies the maximum field size Minsize: specifies the minimum field size Nillable: determines whether or not it is possible that the field is null (true or false) regEx: allows a regular expression to be specified for validation 19
- 20. Case StudyCase Study • Case Study: Client Application + Web Service • UniversityManager web service: – searchStudent receives a registration number (ID) and returns the student record containing a String with his or her information – registerStudent operation receives the– registerStudent operation receives the information, which must not contain HTML or Javascript code, and registers it on the MySQL database. In the database a student’s table is created: ID, name, age, email, comment, site, and birthday 20
- 21. WSIVMXMLSpecification WSIVMXMLSpecification–UniversityManager <?xml version="1.0" encoding="UTF-8"?> <valid_inputs_specification mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" WebServiceID=“UniversityManager" xsi:noNamespaceSchemaLocation="valid_inputs_specification.xsd"> <operation name="registerStudent "> <input name="name" type="String" min="5" max="20" accept="text" sanitize="true"/> <input name="age" type="Integer" min="0" max="150" accept="number" sanitize="true"/> <input name="email" type="String" min="0" max="200" accept="email" sanitize="true"/><input name="email" type="String" min="0" max="200" accept="email" sanitize="true"/> <input name="comment" type="String" min="0" max="200" accept="text" sanitize="true"/> <input name="site" type="String" min="0" max="300" accept="url" sanitize="true"/> <input name="data" type="String" min="0" max="200" accept="regex" regexpattern= "(d{4})-(d{2})-(d{2})" sanitize="true"/> </operation> <operation name="searchStudent "> <input name="id" type="Integer" min="0" max="10000" accept="number" sanitize="true"/> </operation> </valid_inputs_specification> 21
- 22. Case StudyCase Study -- ResultsResults • Experiments: – With and without WSIVM – 150 users – The test runs for 300 seconds – soapUi: direct calls to the web service <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:univ="http://university.wsivm.example">xmlns:univ="http://university.wsivm.example"> <soap:Header/><soap:Body> <univ:registerStudent> <univ:name>John</univ: name > <univ:age>12</univ: age > <univ:email>john@hsj.com</univ:email> <univ:comment>Passed</univ: comment > <univ:site>http://www.univ.com</univ:site> <univ:birthday>1980-09-12</univ: birthday > </univ: registerStudent > </soap:Body></soap:Envelope> 22
- 23. ComparisonComparison Min.Min. TimeTime Without WSIVM 35 ms Max.Max. TimeTime 27848 ms Case StudyCase Study -- ResultsResults AvgAvg.. TimeTime 2494,85 ms TransferredTransferred BytesBytes 1974195 B B/sB/s 6506 B/s InsertionsInsertions In DBIn DB 10078 With WSIVM 64 ms Total 83 % 13346 ms - 52 % 4541,24 ms 82 % 1236330 B - 37 % 4012 B/s - 38 % 5134 - 49 % 23
- 24. ConclusionsConclusions • Reusable and independent mechanism for data entry validation, regardless of the implementation of the web service • Based on the white list approach (reduction in false positives) – More reliable than the blacklist. If a blacklist is– More reliable than the blacklist. If a blacklist is created based on the current version of HTML, in the case of new versions, this list may no longer be considered valid – The number of false positives or false negatives will depend on the WSIVM XML Specification defined 24
- 25. ConclusionsConclusions – The framework provides the specification to be customized according to the Web Service requirements and needs • Prevention of data injection attacks in Web services and the waste of server processing with invalid messagesinvalid messages • Reduces the possibility of denial of service using content of messages • Negative impact on the performance of the developed Web service but reduces the possibility of inserting invalid data • Solution for legacy applications reducing development costs 25
- 26. • Optimization of the implementation to improve the performance of the proposed model • Development of a semi-automatic generator of security specifications from WSDL • Verification of SOAP messages and paths in XPath format Future WorkFuture Work format • Use of artificial intelligence or an anomaly detection system • Making a feedback loop filter validation of invalid entries 26
- 27. Some ReferencesSome References 1. OWASP Top Ten - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 2. T. Scholte, D. Balzarotti, and E. Kirda, “Quo vadis? A study of the evolution of input validation vulnerabilities in Web applications,” in Proc. Int. Conference on Financial Cryptography and Data Security '11, St. Lucia, 2011. 3. N. A. Nordbotten, “XML and Web services security standards,” Communications Surveys & Tutorials, IEEE, vol. 11, no. 3, pp. 4–21, 2009. 4. L. Sun and Y. Li, “XML and Web services security,” in Proc. 12th Int. Conf. Computer Supported Cooperative Work in Design, CSCWD 2008, April 16–18, pp. 765–770. 5. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int. Computer Software and Applications Conf., 2007, COMPSAC 2007, Jul. 24–27, vol. 1, pp. 23–30. 6. WS-Security Wrapper - http://wsswrapper.sourceforge.net/ 7. J. Lin and J. Chen, “An automated mechanism for secure input handling,” Journal of Computers, vol.7. J. Lin and J. Chen, “An automated mechanism for secure input handling,” Journal of Computers, vol. 4, no. 9, pp. 837–844, 2009. 8. N. Sidharth and J. Liu, “A framework for enhancing Web services security,” in Proc. 31st Ann. Int. COMPSAC 2007, Jul. 24–27, vol. 1, pp. 23–30. 9. A. Blyth, “An architecture for an XML enabled firewall,” International Journal of Network Security, vol. 8, no. 1, pp. 31–36, 2009, ISSN 1816–3548. 10. Y. Loh, W. Yau, C. Wong, and W. Ho, “Design and implementation of an XML firewall,” in Proc. 2006 Int. Conf. Computational Intelligence and Security, Nov. 3–6, vol. 2, pp. 1147–1150. 11. CWE/SANS TOP 25 Most Dangerous Software Errors - http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf 12. R. Wu and M. Hisada, “SOA Web Security and Applications”, Technology, vol. 9, no. 2, p. 163-177, 2010. 13. T. Scholte, W. Robertson, D. Balzarotti, E. Kirda, "Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis," in Proc. 2012 IEEE 36th Annual COMPSAC 2012 , pp.233- 243, July 2012. 27
- 28. Thank you!Thank you! Rafael B. Brinhosa, Carla M. Westphall, Carlos B. Westphall, Daniel R. dos Santos, Fábio Grezele { brinhosa,carlamw,westphal,danielrs,fgrezele }@inf.ufsc.br 28