Classification of Web-Service-Based Attacks and Mitigation Techniques

SOAP

The Simple Object Access Protocol (SOAP) is used in the exchange of XML-based messages between the client and the server, these messages are sent over the network using http or https protocols. In the interactions between a consumer (client) and a provider (server), the client sends a request SOAP message to the server. The server processes the request and sends a message back to the client with the results of the request.

XML is widely used standard in web services for integration and data exchange. There is a big problem with XML as it is not very secure and have been many vulnerabilities uncovered. Web services using XML provides many opportunities for attacks such as Denial of Service attacks or XML Injection attacks. Systems that utilize XML are vulnerable to those types of attacks.

Web Services are widely based on XML Protocols (Tiwari & Singh, 2011). There are three main elements of web services that use XML:

• •

  Simple Object Access Protocol (SOAP). SOAP is a W3C standard for exchanging XML based messages over computer networks. SOAP uses HTTP/HTTPS, it is important for application development as it allows Internet Communications between two or more programs. SOAP is platform independent, agnostic, flexible and general-purpose XML Protocol (Jan, Nguyen, & Briand, 2015; Tiwari & Singh, 2011).

• •

  Web Service Description Language (WDSL) is a language used to define web services and describe how to access them. The various operations required to access the web services are defined in the WSDL language along with the parameter information (Jan, S., Nguyen, C. D., & Briand, LJ, 2015; Tiwari & Singh, 2011).

• •

  Universal Description, Discovery and Integration (UDDI) specification is for publishing and locating information about web services. It also defines the information framework that enables service providers to describe and classify their organization, services and the technical details about the interfaces of the web services that they want to expose for use.

Service composition is a promising solution for many businesses. Using Service Compositions an organization can connect their applications, databases and systems to provide a single point service to the consumers. Service composition is an aggregation of other atomic and composite web services. These web services interact with each other in accordance to a process model. For example, a travel website that allows you to book an airline flight, as well as book a hotel room, rental car and other services such as travel insurance, or car service (Tiwari & Singh, 2011). Example of Service composition is shown in Figure 1. A new customer is created and in turn calls other services such as validating the customer, Updating the customer database and Generating and billing the account. Generate Bill Account in turn calls the New Bill Account creation service which calls to the credit card number validation service and the Card limit validation service.

Figure 1.

Example of service composition (Tiwari & Singh, 2011)