Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Security testing methodology for vulnerabilities detection of XSS in web services and WS-Security
Salas M., Martins E. Electronic Notes in Theoretical Computer Science (ENTCS)302 133-154,2014.Type:Article
Date Reviewed: Feb 13 2015

Websites, like most other software components, are vulnerable to attacks. Cross-site scripting (XSS) attacks are a type of malicious code injection in which malicious scripts are injected into websites. Currently, many websites are used to execute software components called web services. In my opinion, web services can be considered the most important components to integrate different software technologies. Web services security, defined in the Web Services Security (WS-Security) standard, is important for analyzing XSS attacks. In this paper, the authors analyze the robustness of web services using security testing techniques.

This is a very practical paper. The authors describe in detail how to test vulnerabilities in web services, and how to discover new vulnerabilities during software development before attackers exploit them. The paper shows how certain tools can be used to analyze the presence of vulnerabilities in web services and emulate an XSS attack. In addition, the authors analyze the robustness of web services with WS-Security, and security tokens against an XSS attack.

In the paper, the authors propose a secure testing methodology to address security problems in web services. Although the paper shows that tools are very important, the tool’s output should be carefully analyzed to identify real risks. In fact, the authors have established a set of rules to identify clearly which outputs are a risk and which outputs are not actual vulnerabilities.

In summary, this is a very interesting paper because the proposed approach is practical. This approach could be used in some programming courses as part of a laboratory. It is very easy to read and the approach is replicable. The paper fails, however, to provide some discussion on secure coding practices. For me, the following question remains: Could secure coding practices when applied to web service programming eliminate their vulnerabilities?

Reviewer:  Jesus Villadangos-Alonso Review #: CR143187 (1505-0420)
Bookmark and Share
  Featured Reviewer  
 
Web-Based Services (H.3.5 ... )
 
 
Security and Protection (K.6.5 )
 
 
Testing And Debugging (D.2.5 )
 
Would you recommend this review?
yes
no
Other reviews under "Web-Based Services": Date
Bibliometric analysis of the impact of Internet use on scholarly productivity
Kaminer N., Braunstein Y. Journal of the American Society for Information Science 49(9): 720-730, 1998. Type: Article
Nov 1 1998
Intermediaries personalize information streams
Maglio P., Barrett R. Communications of the ACM 43(8): 96-101, 2000. Type: Article
Oct 1 2000
Searching the Web
Arasu A., Cho J., Garcia-Molina H., Paepcke A., Raghavan S. ACM Transactions on Internet Technology 1(1): 2-43, 2001. Type: Article
Feb 1 2002
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy