Protecting Database Centric Web Services against SQL/Xpath Injection Attacks



Web services represent a powerful interface for back-end database systems and are increasingly being used in business critical applications. However, field studies show that a large number of web services are deployed with security flaws (e.g., having SQL Injection vulnerabilities). Although several techniques for the identification of security vulnerabilities have been proposed, developing non-vulnerable web services is still a difficult task. In fact, security-related concerns are hard to apply as they involve adding complexity to already complex code. This paper proposes an approach to secure web services against SQL and XPath Injection attacks, by transparently detecting and aborting service invocations that try to take advantage of potential vulnerabilities. Our mechanism was applied to secure several web services specified by the TPC-App benchmark, showing to be 100% effective in stopping attacks, non-intrusive and very easy to use.


web services, SQL/XPath Injection


Web Services Security


20th International Conference on Database and Expert Systems Applications (DEXA 2009), August 2009

Cited by

Year 2011 : 2 citations

 1. Velu Shanmughaneethi, R. Ravichandran, S. Swamynathan, “PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications”, International Journal on Web Service Computing, no. 3: 192-201, September 2011

 2. Velu Shanmughaneethi, Ra. Yagna Pravin, S. Swamynathan, "XIVD: Runtime Detection of XPath Injection Vulnerabilities in XML Databases through Aspect Oriented Programming", Advances in Computing and Information Technology - Communications in Computer and Information Science, Springer Berlin Heidelberg, Vol. 198, ISBN: 978-3-642-22555-0, 2011.