A Learning-Based Approach to Secure Web Services from SQL/XPath Injection Attacks



Business critical applications are increasingly being deployed as web services that access database systems, and must provide secure operations to its clients. Although the open web environment emphasizes the need for security, several studies show that web services are still being deployed with command injection vulnerabilities. This paper proposes a learning-based approach to secure web services against SQL and XPath Injection attacks. Our approach is able to transparently learn valid request patterns (learning phase) and then detect and abort potentially harmful requests (protection phase). When it is not possible to have a complete learning phase, a set of heuristics can be used to accept/discard doubtful cases. Our mechanism was applied to secure TPC-App services and open source services. It showed to be extremely effective in stopping all tested attacks, while introducing a negligible performance impact.


Web Services, SQL/XPath Injection Attacks, Security


Web Services Security


The 16th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2010), December 2010

Cited by

No citations found