Attack Taxonomy Methodology Applied to Web Services

Keywords: Attack taxonomy methodology, web services, brute force, spoofing, flooding, denial-of-services, injection


With the rapid evolution of attack techniques and attacker targets, companies and researchers question the applicability and effectiveness of security taxonomies. Although the attack taxonomies allow us to propose a classification scheme, they are easily rendered useless by the generation of new attacks. Due to its distributed and open nature, web services give rise to new security challenges. The purpose of this study is to apply a methodology for categorizing and updating attacks prior to the continuous creation and evolution of new attack schemes on web services. Also, in this research, we collected thirty-three (33) types of attacks classified into five (5) categories, such as brute force, spoofing, flooding, denial-of-services, and injection attacks, in order to obtain the state of the art of vulnerabilities against web services. Finally, the attack taxonomy is applied to a web service, modeling through attack trees. The use of this methodology allows us to prevent future attacks applied to many technologies, not only web services.



Download data is not yet available.


R. Derbyshire, B. Green, D. Prince, A. Mauthe, and D. Hutchison, “An analysis of cyber security attack taxonomies,” in 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 153– 161, IEEE, 2018.

C. Ferris and J. Farrell, “What are web services?,” Communications of the ACM, vol. 46, no. 6, p. 31, 2003.

“Web services tutorial.”, 2022.

I. siddavatam and J. Gadge, “Comprehensive test mechanism to detect attack on web services,” in 2008 16th IEEE International Conference on Networks, pp. 1–6, 2008.

D. Wichers and J. Williams, “Owasp top-10 2021.”

C. Top and M. Dangerous, “2021 cwe top 25 most dangerous software weaknesses, 2021.”

H. Yuan, L. Zheng, L. Dong, X. Peng, Y. Zhuang, and G. Deng, “Research and implementation of web application firewall based on feature matching,” in International Conference on Application of Intelligent Systems in Multi-modal Information Analytics, pp. 1223–1231, Springer, 2019.

B. Jagruti, P. Nidhi, and D. Pandya, “A survey on webservice security techniques,” in 2018 4th International Conference on Computing Communication and Automation (ICCCA), pp. 1–5, 2018.

O. B. Fredj, O. Cheikhrouhou, M. Krichen, H. Hamam, and A. Derhab, “An owasp top ten driven survey on web application protection methods,” in Risks and Security of Internet and Systems (J. Garcia-Alfaro, J. Leneutre, N. Cuppens, and R. Yaich, eds.), (Cham), pp. 235–252, Springer International Publishing, 2021.

W. Ahmad, Z. Hayat, B. Zafar, F. A. Khan, F. Din, and I. Shah, “A survey on taxonomies of attacks and vulnerabilities in computer systems,” International Journal of Computer Science and Telecommunications, vol. 3, no. 5, pp. 93–97, 2012.

S. L. Hansman, “A taxonomy of network and computer attack methodologies,” 2003.

A. C. Panchal, V. M. Khadse, and P. N. Mahalle, “Security issues in iiot: A comprehensive survey of attacks on iiot and its countermeasures,” in 2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN), pp. 124–130, 2018.

C. Simmons, C. Ellis, S. Shiva, D. Dasgupta, and Q. Wu, “Avoidit: A cyber attack taxonomy,” in 9th Annual Symposium on Information Assurance (ASIA’14), pp. 2–12, 2014.

K. F. P. Chan, M. Olivier, and R. P. van Heerden, “A taxonomy of web service attacks,” in Proceedings of the 8th International Conference on Information Warfare and Security: ICIW, p. 34, 2013.

M. I. Ladan, “Web services: Security challenges,” in 2011 World Congress on Internet Security (WorldCIS-2011), pp. 160–163, IEEE, 2011.

R. K. K. Meduri, “Webservice security,” in Webservices, pp. 119–172, Springer, 2019.

P. Nandan, Mastering SoapUI. Packt Publishing Ltd, 2016.

G. A. Jaafar, S. M. Abdullah, and S. Ismail, “Review of recent detection methods for http ddos attack,” Journal of Computer Networks and Communications, vol. 2019, 2019.

M. Jensen, N. Gruschka, and R. Herkenhöner, “A survey of attacks on web services,” Computer Science-Research and Development, vol. 24, no. 4, pp. 185–197, 2009.

V. Patel, R. Mohandas, and A. R. Pais, “Attacks on web services and mitigation schemes,” in 2010 International Conference on Security and Cryptography (SECRYPT), pp. 1–6, IEEE, 2010.

A. Singh, A. Sharma, N. Sharma, I. Kaushik, and B. Bhushan, “Taxonomy of attacks on web based applications,” in 2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT), vol. 1, pp. 1231–1235, 2019.

A. Boudi, I. Farris, M. Bagaa, and T. Taleb, “Assessing lightweight virtualization for security-as-a-service at the network edge,” IEICE Transactions on Communications, vol. 102, no. 5, pp. 970–977, 2019.

A. T. Limited, “Attack tree modeling.”, 2022.

S. Mehta, G. Raj, and D. Singh, “Penetration testing as a test phase in web service testing a black box pen testing approach,” in Smart Computing and Informatics, pp. 623–635, Springer, 2018.

S. Abidi, M. Essafi, C. G. Guegan, M. Fakhri, H. Witti, and H. H. B. Ghezala, “A web service security governance approach based on dedicated micro-services,” Procedia Computer Science, vol. 159, pp. 372– 386, 2019.

“Web application firewall.”, 2018.

S. Akshaya, M., and G. Padmavathi. "Taxonomy of security attacks and risk assessment of cloud computing." Advances in Big Data and Cloud Computing: Proceedings of ICBDCC18. Springer Singapore, 2019.

S. Yassine, and Y. Maleh. "A systematic review and taxonomy of web applications threats." Information Security Journal: A Global Perspective 31.1 (2022): 1-27.

P. Prinetto, and G. Roascio. "Hardware Security, Vulnerabilities, and Attacks: A Comprehensive Taxonomy." ITASEC. 2020.

“8 critical web application vulnerabilities and how to prevent them.”, 2022.

How to Cite
M. Palma Salas, “Attack Taxonomy Methodology Applied to Web Services”, LAJC, vol. 11, no. 1, pp. 66-79, Jan. 2024.
Research Articles for the Regular Issue