Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services



Web services are often deployed with critical software bugs that may be maliciously exploited. Developers often trust on penetration testing tools to detect those vulnerabilities but the effectiveness of such technique is limited by the lack of information on the internal state of the tested services. This paper proposes a new approach for the detection of injection vulnerabilities in web services. The approach uses attack signa-tures and interface monitoring to increase the visibility of the penetration testing process, yet without needing to access web service?s internals (as these are frequently not available). To demonstrate the feasibility of the approach we implemented a prototype tool to detect SQL Injection vulnerabilities in SOAP. An experimental evaluation comparing this prototype with three commercial penetration testers was conducted. Results show that our prototype is able to achieve much higher detec-tion coverage than those testers while avoiding false positives, indicating that the proposed approach can be used in real de-velopment scenarios.


web-services, security, vulnerability detection, attack signatures, penetration testing, interface monitoring,


Web Services Security


IEEE 8th International Conference on Services Computing (SCC 2011), July 2011

Cited by

Year 2016 : 6 citations

 Y.-C. Cho, “Implementation and analysis of website security mining system, applied to universities’ academic networks,” Tehnicki vjesnik - Technical Gazette, vol. 22, no. 2, pp. 279–287, 2015.

 S. Utsai and R. B. Joshi, “DOS Attack Reduction by using Web Service Filter,” International Journal of Computer Applications, vol. 105, no. 14, 2014.

 S. H. Ghotbi, “A declarative and fine-grained policy language for the web application domain,” Ph.D. Thesis, University of Southampton, Southampton, UK, 2014.

 S. Utsai and R. B. Joshi, “DoS Attack Mitigation by Web Service Filter,” in Proceedings of Third Post Graduate Conference on “Computer Engineering“, 2014, vol. 4.

 M. Anisetti, C. A. Ardagna, E. Damiani, and N. El Ioini, “Trustworthy Cloud Certification: A Model-Based Approach,” in Data-Driven Process Discovery and Analysis, Springer, 2014, pp. 107–122.

 P. D. Buck, Q. Shi, and B. Zhou, “Monitoring and Testing Web Services,” in The 15th Annual PostGraduate Symposium on The Convergence of Telecommunications, Networking and Broadcasting (PGNET 2014), Liverpool, UK, 2014.

Year 2013 : 4 citations

 C. Schanes, A. Hubler, F. Fankhauser, and T. Grechenig, “Generic Approach for Security Error Detection Based on Learned System Behavior Models for Automated Security Tests,” presented at the Fourth International Workshop on Security Testing, Luxembourg, 2013.

 L. Stage, “Entwurf einer Methodik zum Testen der Sicherheit von Web-Service-basierten Systemen,” University of Stuttgart, 2013.

 Y.-C. Cho and J.-Y. Pan, “Vulnerability Assessment of IPv6 Websites to SQL Injection and other Application Level Attacks,” The Scientific World Journal, vol. 2013, 2013.

 D. A. Franco, J. L. Perea, and L. C. Tovar, “Herramienta para la Detección de Vulnerabilidades basada en la Identificación de Servicios,” Información tecnológica, vol. 24, no. 5, pp. 13–22, 2013.

Year 2012 : 1 citations

 A. Andrekanic and R. Gamble, “Architecting Web Service Attack Detection Handlers,” in 2012 IEEE 19th International Conference on Web Services (ICWS 2012), Honolulu, Hawaii, USA, 2012, pp. 130 –137.