Two level security approaches for secure XML database centric web services against xpath injections

Web services are deployed using eXtensible Markup Language (XML), which is an independent language for easy transportation and storage. As an important transportation for data, Web services has become increasingly vulnerable to malicious attacks that could affect essential properties of information systems such as confidentiality, integrity, or availability. Like any other application that allows outside user submission data, Web services can be susceptible to code injection attacks, specifically XPath (XML Path Language) injection attacks. This kind of attack can cause serious damage to the database at the backend of Web services as well as the data within it. To cope with this attack, it is necessary to develop effective and efficient secure mechanism from various angles, outsider and insider. This thesis addresses both outsider and insider threats with respect to XPath injections in providing secure mechanism for XML database-centric Web services which yields the following significant contributions. We propose the two level security approaches for the ultimate solution within XML database-centric Web services. The first approach focuses on preventing malicious XPath input within Web services application. In order to address issues of XPath injections, we propose a model-based validation (XIPS) for XPath injection attack prevention in Web service applications. The second approach focuses on preventing insider threat within XML database. In order to deal with insider threat, we propose a severity-aware trust-based access control model (XTrust) for malicious XPath code in XML database. A prototype of the solution and each approach was designed, implemented and evaluated using synthetic data through experimental research approach to evaluate its security performance. Evidently, result analysis proved that the two level security approaches solution able to provide overall protection for XML database centric Web services environment from outsider and insider threats with respect to XPath injections. Meanwhile, the first approach, XIPS provides alternative solution for Web service applications against malicious XPath input compared to the previous work and the second approach, XTrust provide more secure access control for XML database against malicious XPath code compared to the previous work. As a conclusion, the two level security approaches solution improved security level in XML database-centric Web services.

Preview Text FSKTM 2016 34 IR.pdf Download (1MB) | Preview

Actions (login required)

View Item