The New Framework to Defend Against XML-Based Attacks
Article Sidebar
Main Article Content
Abstract
- This paper presents the new framework that has the ability to detect and prevent attacks that are based on XML to Web service. These would be Oversize Payload attack, Recursive Payload attack, Parameter Tampering attack, Buffer Overflow attack or Replay Attack. The framework consists of three stages. The first stage is to learn XML documents leading to create XML schema. The second stage is to set all needed parameters and the third stage is to validate the XML format. The framework has been developed using Apache Tomcat, Apache Axis2, MySQL and JAVA language. For the experiment, it shows that mechanisms of the framework work effectively in detection and preventing attacks that are based on XML attacks.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
I/we certify that I/we have participated sufficiently in the intellectual content, conception and design of this work or the analysis and interpretation of the data (when applicable), as well as the writing of the manuscript, to take public responsibility for it and have agreed to have my/our name listed as a contributor. I/we believe the manuscript represents valid work. Neither this manuscript nor one with substantially similar content under my/our authorship has been published or is being considered for publication elsewhere, except as described in the covering letter. I/we certify that all the data collected during the study is presented in this manuscript and no data from the study has been or will be published separately. I/we attest that, if requested by the editors, I/we will provide the data/information or will cooperate fully in obtaining and providing the data/information on which the manuscript is based, for examination by the editors or their assignees. Financial interests, direct or indirect, that exist or may be perceived to exist for individual contributors in connection with the content of this paper have been disclosed in the cover letter. Sources of outside support of the project are named in the cover letter.
I/We hereby transfer(s), assign(s), or otherwise convey(s) all copyright ownership, including any and all rights incidental thereto, exclusively to the Journal, in the event that such work is published by the Journal. The Journal shall own the work, including 1) copyright; 2) the right to grant permission to republish the article in whole or in part, with or without fee; 3) the right to produce preprints or reprints and translate into languages other than English for sale or free distribution; and 4) the right to republish the work in a collection of articles in any other mechanical or electronic format.
We give the rights to the corresponding author to make necessary changes as per the request of the journal, do the rest of the correspondence on our behalf and he/she will act as the guarantor for the manuscript on our behalf.
All persons who have made substantial contributions to the work reported in the manuscript, but who are not contributors, are named in the Acknowledgment and have given me/us their written permission to be named. If I/we do not include an Acknowledgment that means I/we have not received substantial contributions from non-contributors and no contributor has been omitted.
References
2. Doug Tidwell, James Snell and Pavel Kulchenko, Programming Web Services with SOAP First Edition. O'Reilly. Sebastopol. December 2001.
3. Marzouk S. Mokbel and Le Jiajin, "Integrated Security Architecture for Web Services and this Challenging", Asian Journal of Information Technology, Volue 7, Issue 5, 2008. pp. 226-231.
4. Vipul Patel, Radhesh Mohandas and Alwyn R. Pais, "Attacks on Web Services and mitigation schemes", IEEE Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference, July 2010. pp.1-6.
5. David Hunter, Jeff Rafter, Joe Fawcett, Eric van der Vlist, Danny Ayers, Jon Duckett, Andrew Watt, and Linda McKinnon, Beginning XML 4th Edition. Wiley Publishing. Indiana. May, 2007.
6. Poornachandra Sarang, Ph.D, Pro Apache XML First Edition. Apress. New York. May 2006.
7. W3C, Simple Object Access Protocol 1.1. [Online]. 2000. Available from: http://www.w3.org /TR/2000/NOTE-SOAP-20000508/#_Toc478383486 [2014, July, 25]
8. W3C, Web Services Description Language 1.1. [Online]. 2001. Available from: http://www.w3.org /TR/wsdl [2014, July, 25]
9. OASIS, Universal Description, Discovery and Integration (UDDI) v2.0. [Online]. 2003. Available from: https://www.oasisopen.org/standards#uddiv2 [2014, July, 25]
10. Priscilla Walmsley, Definitive XML Schema 2th Edition. PRENTICE HALL. New Jersey. September 2012.
11. A. Karthigeyan, C. Andavar, A. Jaya Ramya, "Adaptable Practices for Curbing XDoS Attacks", International Journal of Scientific & Engineering Research, Volume 3, Issue 6, June 2012. pp.1-6.
12. Esmiralda Moradian, and Anne Håkansson, "Possible attacks on XML Web Services", IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.1B, January 2006. pp.154-170.
13. Abhinav Nath Gupta and Dr. P. Santhi Thilagam, "Attacks on Web Services Need to Secure XML on Web", Computer Science & Engineering: An International Journal, Vol. 3, No. 5, October 2013. pp.1-11.
14. Irfan siddavatam and Jayant Gadge, "Comprehensive Test Mechanism to Detect Attack on Web Services", IEEE International Conference on Networking, December 2008. pp.1-6.
15. Nils Gruschka, Norbert Luttenberger, "Protecting Web Services from DoS Attacks by SOAP Message Validation", IFIP International Federation for Information Processing Volume 201, 2006, May 2006. pp 171-182.
16. Rafael Bosse Brinhosa, Carla Merkle Westphall, Carlos Becker Westphall, Daniel Ricardo dos Santos, Fabio Grezele, "A Validation Model of Data Input for Web Services", Twelfth International Conference on Networks, January 2013. pp.87-94.
17. R. Bebawy, H. Sabry, S. El-Kassas, Y. Hanna, and Y. Youssef, "Nedgty: Web services firewall", Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference, July 2005. pp. 597–601.
18. Haiping Xu, Abhinay Reddyreddy, and Daniel F. Fitch, "Defending Against XML-Based Attacks Using State-Based XML Firewall", JOURNAL OF COMPUTERS, VOL. 6, NO.11, November 2011. pp. 2395-2407.
19. Nuno Antunes, Nuno Laranjeiro, Marco Vieira, Henrique Madeira,"Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services", Services Computing, 2009. SCC '09, IEEE International Conference, September 2009. pp.260-267.
20. Gökhan Muharremoğlu, Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module. [Online]. 2012. Available from: http://goo.gl/aQM4Di [2014, July ,25]
21. Eric Chien and Péter Ször, Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses*. [Online]. 2002. Available from: http://www.symantec.com/avcenter/reference/blended.attacks.pdf [2014, July ,25]
22. Meiko Jensen, Christopher Meyer, Juraj Somorovsky, and Jorg Schwenk, "On the effectiveness of XML Schema validation for countering XML Signature Wrapping attacks", Securing Services on the Cloud (IWSSC), 2011 1st International Workshop on, September 2011. pp.7-13,6-8.
23. Shujun Pei, Deyun Chen, Yuyuan Chu, Qingfeng Xu and Shi Xi,"Research of Web Service Security Model Based on SOAP Information", Asian Network for Scientific Information, December 2011. pp. 241-247.