Attack Taxonomy Methodology Applied to Web Services

Keywords: Attack taxonomy methodology, web services, brute force, spoofing, flooding, denial-of-services, injection

Abstract

With the rapid evolution of attack techniques and attacker targets, companies and researchers question the applicability and effectiveness of security taxonomies. Although the attack taxonomies allow us to propose a classification scheme, they are easily rendered useless by the generation of new attacks. Due to its distributed and open nature, web services give rise to new security challenges. The purpose of this study is to apply a methodology for categorizing and updating attacks prior to the continuous creation and evolution of new attack schemes on web services. Also, in this research, we collected thirty-three (33) types of attacks classified into five (5) categories, such as brute force, spoofing, flooding, denial-of-services, and injection attacks, in order to obtain the state of the art of vulnerabilities against web services. Finally, the attack taxonomy is applied to a web service, modeling through attack trees. The use of this methodology allows us to prevent future attacks applied to many technologies, not only web services.

DOI

Downloads

Download data is not yet available.

References

R. Derbyshire, B. Green, D. Prince, A. Mauthe, and D. Hutchison, “An analysis of cyber security attack taxonomies,” in 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 153– 161, IEEE, 2018.

C. Ferris and J. Farrell, “What are web services?,” Communications of the ACM, vol. 46, no. 6, p. 31, 2003.

“Web services tutorial.”https://acortar.link/gDMbLC, 2022.

I. siddavatam and J. Gadge, “Comprehensive test mechanism to detect attack on web services,” in 2008 16th IEEE International Conference on Networks, pp. 1–6, 2008.

D. Wichers and J. Williams, “Owasp top-10 2021.” https://owasp.org/Top10/.

C. Top and M. Dangerous, “2021 cwe top 25 most dangerous software weaknesses, 2021.” https://acortar.link/fGizQb.

H. Yuan, L. Zheng, L. Dong, X. Peng, Y. Zhuang, and G. Deng, “Research and implementation of web application firewall based on feature matching,” in International Conference on Application of Intelligent Systems in Multi-modal Information Analytics, pp. 1223–1231, Springer, 2019.

B. Jagruti, P. Nidhi, and D. Pandya, “A survey on webservice security techniques,” in 2018 4th International Conference on Computing Communication and Automation (ICCCA), pp. 1–5, 2018.

O. B. Fredj, O. Cheikhrouhou, M. Krichen, H. Hamam, and A. Derhab, “An owasp top ten driven survey on web application protection methods,” in Risks and Security of Internet and Systems (J. Garcia-Alfaro, J. Leneutre, N. Cuppens, and R. Yaich, eds.), (Cham), pp. 235–252, Springer International Publishing, 2021.

W. Ahmad, Z. Hayat, B. Zafar, F. A. Khan, F. Din, and I. Shah, “A survey on taxonomies of attacks and vulnerabilities in computer systems,” International Journal of Computer Science and Telecommunications, vol. 3, no. 5, pp. 93–97, 2012.

S. L. Hansman, “A taxonomy of network and computer attack methodologies,” 2003.

A. C. Panchal, V. M. Khadse, and P. N. Mahalle, “Security issues in iiot: A comprehensive survey of attacks on iiot and its countermeasures,” in 2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN), pp. 124–130, 2018.

C. Simmons, C. Ellis, S. Shiva, D. Dasgupta, and Q. Wu, “Avoidit: A cyber attack taxonomy,” in 9th Annual Symposium on Information Assurance (ASIA’14), pp. 2–12, 2014.

K. F. P. Chan, M. Olivier, and R. P. van Heerden, “A taxonomy of web service attacks,” in Proceedings of the 8th International Conference on Information Warfare and Security: ICIW, p. 34, 2013.

M. I. Ladan, “Web services: Security challenges,” in 2011 World Congress on Internet Security (WorldCIS-2011), pp. 160–163, IEEE, 2011.

R. K. K. Meduri, “Webservice security,” in Webservices, pp. 119–172, Springer, 2019.

P. Nandan, Mastering SoapUI. Packt Publishing Ltd, 2016.

G. A. Jaafar, S. M. Abdullah, and S. Ismail, “Review of recent detection methods for http ddos attack,” Journal of Computer Networks and Communications, vol. 2019, 2019.

M. Jensen, N. Gruschka, and R. Herkenhöner, “A survey of attacks on web services,” Computer Science-Research and Development, vol. 24, no. 4, pp. 185–197, 2009.

V. Patel, R. Mohandas, and A. R. Pais, “Attacks on web services and mitigation schemes,” in 2010 International Conference on Security and Cryptography (SECRYPT), pp. 1–6, IEEE, 2010.

A. Singh, A. Sharma, N. Sharma, I. Kaushik, and B. Bhushan, “Taxonomy of attacks on web based applications,” in 2019 2nd International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT), vol. 1, pp. 1231–1235, 2019.

A. Boudi, I. Farris, M. Bagaa, and T. Taleb, “Assessing lightweight virtualization for security-as-a-service at the network edge,” IEICE Transactions on Communications, vol. 102, no. 5, pp. 970–977, 2019.

A. T. Limited, “Attack tree modeling.” https://www.amenaza.com/, 2022.

S. Mehta, G. Raj, and D. Singh, “Penetration testing as a test phase in web service testing a black box pen testing approach,” in Smart Computing and Informatics, pp. 623–635, Springer, 2018.

S. Abidi, M. Essafi, C. G. Guegan, M. Fakhri, H. Witti, and H. H. B. Ghezala, “A web service security governance approach based on dedicated micro-services,” Procedia Computer Science, vol. 159, pp. 372– 386, 2019.

“Web application firewall.” https://owasp.org/www-community/Web_Application_Firewall, 2018.

S. Akshaya, M., and G. Padmavathi. "Taxonomy of security attacks and risk assessment of cloud computing." Advances in Big Data and Cloud Computing: Proceedings of ICBDCC18. Springer Singapore, 2019.

S. Yassine, and Y. Maleh. "A systematic review and taxonomy of web applications threats." Information Security Journal: A Global Perspective 31.1 (2022): 1-27.

P. Prinetto, and G. Roascio. "Hardware Security, Vulnerabilities, and Attacks: A Comprehensive Taxonomy." ITASEC. 2020.

“8 critical web application vulnerabilities and how to prevent them.” https://brightsec.com/blog/web-application-vulnerabilities/, 2022.

Published
2024-01-08
How to Cite
[1]
M. Palma Salas, “Attack Taxonomy Methodology Applied to Web Services”, LAJC, vol. 11, no. 1, pp. 66-79, Jan. 2024.
Issue
Vol 11 No 1 (2024)
Section
Research Articles for the Regular Issue

Copyright (c) 2024 Latin American Journal of Computing

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Licencia Creative Commons

This article is published by LAJC under a Creative Commons Attribution-Non-Commercial-Share-Alike 4.0 International License. This means that non-exclusive copyright is transferred to the National Polytechnic School. The Author (s) give their consent to the Editorial Committee to publish the article in the issue that best suits the interests of this Journal. Find out more in our Copyright Notice.

Disclaimer

LAJC in no event shall be liable for any direct, indirect, incidental, punitive, or consequential copyright infringement claims related to articles that have been submitted for evaluation, or published in any issue of this journal. Find out more in our Disclaimer Notice.