Websites, like most other software components, are vulnerable to attacks. Cross-site scripting (XSS) attacks are a type of malicious code injection in which malicious scripts are injected into websites. Currently, many websites are used to execute software components called web services. In my opinion, web services can be considered the most important components to integrate different software technologies. Web services security, defined in the Web Services Security (WS-Security) standard, is important for analyzing XSS attacks. In this paper, the authors analyze the robustness of web services using security testing techniques.
This is a very practical paper. The authors describe in detail how to test vulnerabilities in web services, and how to discover new vulnerabilities during software development before attackers exploit them. The paper shows how certain tools can be used to analyze the presence of vulnerabilities in web services and emulate an XSS attack. In addition, the authors analyze the robustness of web services with WS-Security, and security tokens against an XSS attack.
In the paper, the authors propose a secure testing methodology to address security problems in web services. Although the paper shows that tools are very important, the tool’s output should be carefully analyzed to identify real risks. In fact, the authors have established a set of rules to identify clearly which outputs are a risk and which outputs are not actual vulnerabilities.
In summary, this is a very interesting paper because the proposed approach is practical. This approach could be used in some programming courses as part of a laboratory. It is very easy to read and the approach is replicable. The paper fails, however, to provide some discussion on secure coding practices. For me, the following question remains: Could secure coding practices when applied to web service programming eliminate their vulnerabilities?