The New Framework to Defend Against XML-Based Attacks

Main Article Content

ชาตรี ทองวรรณ
Waraporn Lilakiatsakun


- This paper presents the new framework that has the ability to detect and prevent attacks that are based on XML to Web service. These would be Oversize Payload attack, Recursive Payload attack, Parameter Tampering attack, Buffer Overflow attack or Replay Attack. The framework consists of three stages. The first stage is to learn XML documents leading to create XML schema. The second stage is to set all needed parameters and the third stage is to validate the XML format. The framework has been developed using Apache Tomcat, Apache Axis2, MySQL and JAVA language. For the experiment, it shows that mechanisms of the framework work effectively in detection and preventing attacks that are based on XML attacks.

Article Details

How to Cite
ทองวรรณ ช. and W. Lilakiatsakun, “The New Framework to Defend Against XML-Based Attacks”, JIST, vol. 5, no. 1, pp. 1–12, Jun. 2015.
Research Article: Soft Computing (Detail in Scope of Journal)


1. W3C Working Group, Web Services Architecture. [Online]. 2004. Available from: [2014, July, 25]

2. Doug Tidwell, James Snell and Pavel Kulchenko, Programming Web Services with SOAP First Edition. O'Reilly. Sebastopol. December 2001.

3. Marzouk S. Mokbel and Le Jiajin, "Integrated Security Architecture for Web Services and this Challenging", Asian Journal of Information Technology, Volue 7, Issue 5, 2008. pp. 226-231.

4. Vipul Patel, Radhesh Mohandas and Alwyn R. Pais, "Attacks on Web Services and mitigation schemes", IEEE Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference, July 2010. pp.1-6.

5. David Hunter, Jeff Rafter, Joe Fawcett, Eric van der Vlist, Danny Ayers, Jon Duckett, Andrew Watt, and Linda McKinnon, Beginning XML 4th Edition. Wiley Publishing. Indiana. May, 2007.

6. Poornachandra Sarang, Ph.D, Pro Apache XML First Edition. Apress. New York. May 2006.

7. W3C, Simple Object Access Protocol 1.1. [Online]. 2000. Available from: /TR/2000/NOTE-SOAP-20000508/#_Toc478383486 [2014, July, 25]

8. W3C, Web Services Description Language 1.1. [Online]. 2001. Available from: /TR/wsdl [2014, July, 25]

9. OASIS, Universal Description, Discovery and Integration (UDDI) v2.0. [Online]. 2003. Available from: [2014, July, 25]

10. Priscilla Walmsley, Definitive XML Schema 2th Edition. PRENTICE HALL. New Jersey. September 2012.

11. A. Karthigeyan, C. Andavar, A. Jaya Ramya, "Adaptable Practices for Curbing XDoS Attacks", International Journal of Scientific & Engineering Research, Volume 3, Issue 6, June 2012. pp.1-6.

12. Esmiralda Moradian, and Anne Håkansson, "Possible attacks on XML Web Services", IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.1B, January 2006. pp.154-170.

13. Abhinav Nath Gupta and Dr. P. Santhi Thilagam, "Attacks on Web Services Need to Secure XML on Web", Computer Science & Engineering: An International Journal, Vol. 3, No. 5, October 2013. pp.1-11.

14. Irfan siddavatam and Jayant Gadge, "Comprehensive Test Mechanism to Detect Attack on Web Services", IEEE International Conference on Networking, December 2008. pp.1-6.

15. Nils Gruschka, Norbert Luttenberger, "Protecting Web Services from DoS Attacks by SOAP Message Validation", IFIP International Federation for Information Processing Volume 201, 2006, May 2006. pp 171-182.

16. Rafael Bosse Brinhosa, Carla Merkle Westphall, Carlos Becker Westphall, Daniel Ricardo dos Santos, Fabio Grezele, "A Validation Model of Data Input for Web Services", Twelfth International Conference on Networks, January 2013. pp.87-94.

17. R. Bebawy, H. Sabry, S. El-Kassas, Y. Hanna, and Y. Youssef, "Nedgty: Web services firewall", Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference, July 2005. pp. 597–601.

18. Haiping Xu, Abhinay Reddyreddy, and Daniel F. Fitch, "Defending Against XML-Based Attacks Using State-Based XML Firewall", JOURNAL OF COMPUTERS, VOL. 6, NO.11, November 2011. pp. 2395-2407.

19. Nuno Antunes, Nuno Laranjeiro, Marco Vieira, Henrique Madeira,"Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services", Services Computing, 2009. SCC '09, IEEE International Conference, September 2009. pp.260-267.

20. Gökhan Muharremoğlu, Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module. [Online]. 2012. Available from: [2014, July ,25]

21. Eric Chien and Péter Ször, Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses*. [Online]. 2002. Available from: [2014, July ,25]

22. Meiko Jensen, Christopher Meyer, Juraj Somorovsky, and Jorg Schwenk, "On the effectiveness of XML Schema validation for countering XML Signature Wrapping attacks", Securing Services on the Cloud (IWSSC), 2011 1st International Workshop on, September 2011. pp.7-13,6-8.

23. Shujun Pei, Deyun Chen, Yuyuan Chu, Qingfeng Xu and Shi Xi,"Research of Web Service Security Model Based on SOAP Information", Asian Network for Scientific Information, December 2011. pp. 241-247.