Skip to main content
SpringerLink
Log in

AdIDoS – Adaptive and Intelligent Fully-Automatic Detection of Denial-of-Service Weaknesses in Web Services

  • Conference paper
Data Privacy Management, and Security Assurance (DPM 2015, QASA 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9481))

  • 973 Accesses

Abstract

Denial-of-Service (DoS) attacks aim to affect availability of applications. They can be executed using several techniques. Most of them are based upon a huge computing power that is used to send a large amount of messages to attacked applications, e.g. web service. Web service apply parsing technologies to process incoming XML messages. This enlarges the amount of attack vectors since attackers get new possibilities to abuse specific parser features and complex parsing techniques. Therefore, web service applications apply various countermeasures, including message length or XML element restrictions. These countermeasures make validations of web service robustness against dos attacks complex and error prone.

In this paper, we present a novel adaptive and intelligent approach for testing web services. Our algorithm systematically increases the attack strength and evaluates its impact on a given web serice, using a blackbox approach based on server response times. This allows one to automatically detect message size limits or element count restrictions. We prove the practicability of our approach by implementing a new WS-attacker plugin and detecting new DoS vulnerabilities in widely used web service implementations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Our implementation in the WS-Attacker framework is split into two parts: (1) a generic library to apply DoS attacks on XML and (2) a plugin that is used to transmit SOAP messages.

  2. 2.

    https://github.com/RUB-NDS/WS-Attacker.

  3. 3.

    Its current implementation includes Coercive Parsing, XML Attribute Count, XML Element Count, XML Entity Expansion, XML External Entity, XML Overlong Names, and 4 variants of HashCollision attacks – 10 attack variants in total.

  4. 4.

    Areas in the XML document, where additional elements or attributes can be placed according to the schema definition. Identified by <xs:any> and <xs:anyAttribute> in the XML Schema.

  5. 5.

    This value was chosen empirically based on our tests in local networks.

  6. 6.

    Here an attack is marked as successful even though is is not.

  7. 7.

    http://www.soapui.org.

  8. 8.

    http://sourceforge.net/projects/wsfuzzer.

References

  1. Axway: Axway SOA gateway. https://www.axway.com/products-solutions/soa-governance/soa-gateway

  2. Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible markup language (xml) 1.0) (5th edn.), November 2008. http://www.w3.org/TR/REC-xml/

  3. Mainka, C.: Automatic Penetration Test Tool for Detection of XML Signature Wrapping Attacks in Web Services, Master thesis supervised by Jörg Schwenk and Juraj Somorovsky, May 2012

    Google Scholar 

  4. Falkenberg, A., Mainka, C., Somorovsky, J., Schwenk, J.: A new approach towards DoS penetration testing on web services. In: IEEE 20th International Conference on Web Services (ICWS), 2013, pp. 491–498. IEEE (2013). http://dblp.uni-trier.de/db/conf/icws/icws2013.html#FalkenbergMSS13

  5. Fielding, R.T., Taylor, R.N.: Principled design of the modern web architecture. ACM Trans. Internet Technol. 2(2), 115–150 (2002). http://doi.acm.org/10.1145/514183.514185

    Article  Google Scholar 

  6. IBM: websphere datapower integration appliance xi50. https://www-03.ibm.com/software/products/en/datapower-xi50

  7. Kupser, D., Mainka, C., Somorovsky, J., Schwenk, J.: How to break XML encryption – automatically. In: 9th USENIX Workshop on Offensive Technologies (WOOT 15). USENIX Association, Washington, D.C., August 2015. https://www.usenix.org/conference/woot15/workshop-program/presentation/kupser

  8. Mainka, C., Somorovsky, J., Schwenk, J.: Penetration testing tool for web services security. In: SERVICES Workshop on Security and Privacy Engineering, June 2012

    Google Scholar 

  9. McCabe, F., Booth, D., Ferris, C., Orchard, D., Champion, M., Newcomer, E., Haas, H.: Web services architecture. W3C note, W3C, February 2004. http://www.w3.org/TR/2004/NOTE-ws-arch-20040211/

  10. Microsoft: .net framework. https://msdn.microsoft.com/en-us/library/a4t23ktk(v=vs.80).aspx

  11. Pellegrino, G., Balzarotti, D., Winter, S., Suri, N.: In the compression hornet’s nest: A security study of data compression in network services. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 801–816. USENIX Association, Washington, D.C., August 2015. http://blogs.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/pellegrino

  12. Sperberg-McQueen, C.M., Thompson, H.S., Maloney, M., Thompson, H.S., Beech, D., Mendelsohn, N., Gao, S.S.: W3C XML schema definition language (XSD) 1.1 part 1: Structures. Last call WD, W3C, December 2009. http://www.w3.org/TR/2009/WD-xmlschema11-1-20091203/

  13. The Apache Software Foundation: Apache axis2. https://axis.apache.org/axis2/java/core/

  14. The Apache Software Foundation: Apache CXF - index. https://cxf.apache.org/

  15. The GlassFish community: Metro. https://cxf.apache.org/

  16. The PHP Group: Php: Hypertext preprocessor. https://php.net

  17. Vieira, M., Laranjeiro, N., Oliveira, R.A.: Experimental Evaluation of Web Service Frameworks in the Presence of Security Attacks, June 2012

    Google Scholar 

  18. Wälde, J., Klink, A.: Hash Collision DOS Attacks. 28C3, December 2011. http://www.nruns.com/_downloads/advisory28122011.pdf

Download references

Acknowledgements

We would like to thank our anonymous reviewers for their helpful comments. The research was supported by the German Ministry of research and Education (BMBF) as part of the VERTRAG research project.

Author information

Authors and Affiliations

  1. Software AG, Saarbrucken, Germany

    Christian Altmeier

  2. Horst Görtz Institute for IT Security, Ruhr University Bochum, Bochum, Germany

    Christian Mainka, Juraj Somorovsky & Jörg Schwenk

Authors
  1. Christian Altmeier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Mainka
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juraj Somorovsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christian Altmeier .

Editor information

Editors and Affiliations

  1. Telecom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. Universitat Autònoma de Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  3. University of Urbino, Urbino, Italy

    Alessandro Aldini

  4. National Research Council - C.N.R., Pisa, Italy

    Fabio Martinelli

  5. Department of Computer Science, TU Darmstadt, Darmstadt, Germany

    Neeraj Suri

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Altmeier, C., Mainka, C., Somorovsky, J., Schwenk, J. (2016). AdIDoS – Adaptive and Intelligent Fully-Automatic Detection of Denial-of-Service Weaknesses in Web Services. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds) Data Privacy Management, and Security Assurance. DPM QASA 2015 2015. Lecture Notes in Computer Science(), vol 9481. Springer, Cham. https://doi.org/10.1007/978-3-319-29883-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-29883-2_5

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-29882-5

  • Online ISBN: 978-3-319-29883-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation