The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014)
Automation of Detection of Security Vulnerabilities
in Web Services using Dynamic Analysis
Rahul Kumar
Project Engineer, CDAC Senior Technical Officer, CDAC
Hyderabad, INDIA
Abstract — The usage of XML in maintaining data over the
web communications has lead to new ways of exploitation which
are dangerous for the data integrity yet can be remediated on the
basis of the vulnerability classification. The approach is reserved
for the research scope of unchangeable dynamic vulnerabilities
with the help of WSDL Enumeration and automation script for
detection of the vulnerabilities on analysis of the SOAP Request
and Response saved in XML Format with different payloads.
Index Terms-Security, Web Service, Testing, Attack,
Vulnerability, WSDL, XML, Payload, Dynamic Analysis,
Enumeration, Automation, SOAP Request, Response
I. INTRODUCTION
Web services are self-contained, self-describing, reusable
web applications components; communicate using open
protocols that help solve the interoperability problem by giving
different applications a way to link their data. A web service
uses XML described using a WSDL, to encode and decode
data and a SOAP message to transport it in a stateless manner.
Web services are exposed to the internet like any other service
but can be used on HTTP, FTP, SMTP, and MQ among other
transport protocols.
The vulnerabilities in web services are similar to other
vulnerabilities, such as SQL injection and information leakage,
but web services also have unique XML/parser related
vulnerabilities. The may be classified (Figure 1) as: Static and
Dynamic Vulnerability types based on the type of analysis,
further described as changeable and unchangeable, where
changeable refers to the modification of a Web Service XML
document by a client.
Figure 1. Vulnerability classification
978-1-908320-39/1/$25.00©2014 IEEE
Indraveni K Aakash Kumar Goel
Project Engineer, CDAC
Hyderabad, INDIA Hyderabad, INDIA
II. PROBLEMS AND RELATED RESEARCH
With respect to the vulnerability classifications, the
automation research is found to be very limited. There is a
huge scope to automate the detection of such vulnerabilities.
As per the practical experience of security auditing and
penetration testing, it has been identified that web applications
uses either a relational database, or an XML Schema to store
data. The other important part of a web application that
accounts for most attacker activity is state management.
Both of the above mentioned important attack vectors of
the web applications are now progressively being managed
using web services, thus, making them exploitation proof
becomes imperative.
III. APPROACH
In our approach, we will restrict the research scope to the
unchangeable dynamic vulnerability type of web service.
Dynamic Vulnerabilities; that can only be detected upon the
execution of a service, are widely present in generic Web
applications and have been studied more in depth than the
Static Vulnerabilities and are categorized as: (i) Error on
interface, (ii) SQL and XPath injection (Code Injections).
This approach takes care of the Code injection
Vulnerabilities (SQL, XPath and XXE Injections) and the error
on interface issues faced by the web applications using Web
Services. The WSDL file, which contains all the public
methods on which a web application processes data are the
target inputs in this approach. We apply targeted payloads on
the different methods available in the WSDL file and then
analyze the response generated from a non-legitimate SOAP
request for legitimacy. An automation of the exploitation and
analysis of the response generated would not only reduce the
time and effort put in manual testing of the web services, but
would also give the security community a reliable solution to
integrate in their security tools.
Among the automation steps, we first identify the target
WSDL URL for triggering payloads. Now, with the help of the
automation script (Figure 2), we extract all the methods from
that web service component using python’s suds client. When
the WSDL methods are determined from the user input
334
 The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014)
location, a predetermined, intelligent malicious list of payloads
is sniped with the SOAP request parameter to the web server
handling the web service request. The analysis of the
vulnerabilities found, further depends on the response received
from the server which is stored in an XML format (Figure 3).
Figure 2. Automation Steps
Figure 3. XML Format
For demonstration purpose, we tried our automation
technique on a sample web service, for testing purposes. A
custom payload like “1 or 1=1” was sent in the SOAP Request
(Figure 4) for the web service invocation.
Figure 4. SOAP Request for the Web Service
As the payload sent was malicious in nature, which intends
to extract the information from an XML database using an all-
978-1-908320-39/1/$25.00©2014 IEEE
true condition, the resulting response (Figure 5) from the server
leaked all possible combinations of data available for the
requested variable from the XML database, proving that the
code injection was successful at the server location.
Figure 5. SOAP Response of the Web Service
In another case, when “’” (' ) was sent as the
payload to the SOAP Request (Figure 6) of the same web
service, it resulted in an exception in the SOAP Response
(Figure 6) confirming the unhandled error on the web server
upon triggering a malicious payload.
Figure 6. SOAP Request - Response of Web Service
The findings were tested (see Table I) with several in-house
and public testing domains and it was found that the
experimental results proved to be successfully aligned with the
problem statement.
335
 The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014)

Table I. Experimental Results

S. No. Application Tested Results

1 Phpwsdl Success
2 xml-webservice Success
3 Esikshak Success
5 Webgoat Success
6 Bwapp Fail
IV. CONCLUSION
The research work is promising in nature with a great deal
of XML Analysis for security testing on Web Services based
applications. It not only throws light on the vulnerable injection
points in the public methods, but also gives insights on payload
types, affecting the web service execution without breaking the
XML Schema and hence the web application. The resulting
automation script is well tested on trusted platforms and open
application security test-beds and has out-performed major
existing solutions. This would not only account to additions in
the security framework, but also would be useful for further
research into unidentified XML related security issues in the
next iterations.

The next value addition challenge to the ongoing research

is, taking vulnerable samples of web services to test, without
breaking the XML Schema. As the XML Schema forms the
core for a web service based interaction, any disturbance in it,
would not only mal-form the XML, but would also lead to
maligned application behavior. In this approach, the focus is to
keep the XML Schema intact while testing, so that the false
positives relating to code injections that actually mal-form the
XML, could be minimized.
REFERENCES
[1] “Towards Automated WSDL-Based Testing of Web Services”, Cesare
Bartolini, Antonia Bertolin, Eda Marchetti, and Andrea Polini
[2] “Anatomy o f a Web Services Attack”, Forum Systems Inc.
[3] “Web Services Vulnerabilites”, Nishchal Bhalla, Sahba Kazerooni,
Security Compass
[4] “An Approach for WSDL-Based Automated Robustness Testing of Web
Services”, Samer Hanna and Malcolm Munro
[5] “Detecting Security Vulnerabilities in Web Applications Using Dynamic
Analysis with Penetration Testing”, Andrey Petukhov, Dmitry Kozlov
[6] “In the Wild: a Large Scale Study of Web Services Vulnerabilities”,
Sushama Karumanchi and Anna Cinzia Squicciarini
[7] “Web Services – Attacks and Defense”, NetSquare.

978-1-908320-39/1/$25.00©2014 IEEE 336