Two level security approaches for secure XML database centric web services against xpath injections
Web services are deployed using eXtensible Markup Language (XML), which is an independent language for easy transportation and storage. As an important transportation for data, Web services has become increasingly vulnerable to malicious attacks that could affect essential properties of inform...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2016
|
| Online Access: | http://psasir.upm.edu.my/id/eprint/68604/1/FSKTM%202016%2034%20IR.pdf http://psasir.upm.edu.my/id/eprint/68604/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Web services are deployed using eXtensible Markup Language (XML), which is an
independent language for easy transportation and storage. As an important transportation
for data, Web services has become increasingly vulnerable to malicious attacks that could
affect essential properties of information systems such as confidentiality, integrity, or
availability. Like any other application that allows outside user submission data, Web
services can be susceptible to code injection attacks, specifically XPath (XML Path
Language) injection attacks. This kind of attack can cause serious damage to the database
at the backend of Web services as well as the data within it. To cope with this attack, it
is necessary to develop effective and efficient secure mechanism from various angles,
outsider and insider. This thesis addresses both outsider and insider threats with respect
to XPath injections in providing secure mechanism for XML database-centric Web
services which yields the following significant contributions.
We propose the two level security approaches for the ultimate solution within XML
database-centric Web services. The first approach focuses on preventing malicious
XPath input within Web services application. In order to address issues of XPath
injections, we propose a model-based validation (XIPS) for XPath injection attack
prevention in Web service applications. The second approach focuses on preventing
insider threat within XML database. In order to deal with insider threat, we propose a
severity-aware trust-based access control model (XTrust) for malicious XPath code in
XML database. A prototype of the solution and each approach was designed,
implemented and evaluated using synthetic data through experimental research approach
to evaluate its security performance. Evidently, result analysis proved that the two level
security approaches solution able to provide overall protection for XML database centric
Web services environment from outsider and insider threats with respect to XPath
injections. Meanwhile, the first approach, XIPS provides alternative solution for Web
service applications against malicious XPath input compared to the previous work and
the second approach, XTrust provide more secure access control for XML database
against malicious XPath code compared to the previous work. As a conclusion, the two level security approaches solution improved security level in XML database-centric Web
services. |
|---|