Browse Prior Art Database

System, Method and Apparatus for Fixing Security Vulnerabilities in Web Services Automatically

IP.com Disclosure Number: IPCOM000200264D
Publication Date: 2010-Oct-03
Document File: 6 page(s) / 34K

Publishing Venue

The IP.com Prior Art Database

Abstract

Web services are a widespread technology that is exposed to various security vulnerabilities. While automated tools are able to scan Web services and find security vulnerabilities the burden of fixing those vulnerabilities are left to developer, who may fix them incorrectly but in a way they won't be detectable by the automated scanners. The idea of the invention is create automatic patches for vulnerable web services using WSDL and WS-Policy standards.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 47% of the total text.

Page 01 of 6

Ȉ ˇ ˄ ˙ ˄ ˝ ˙ ˛ Ȉ

Ȉ ˄˄

Ȉ ˄˄ Ȉ ˄˄

Web services are a widespread technology that enables
efficient and robust interaction between different entities
across the Web. As such, they are exposed to many of the
security vulnerabilities typically associated with Web
applications, including SQL injection, log forging, command
execution, and many other top-ranking vulnerabilities. While
automated tools are able to scan Web services and find
security vulnerabilities latent in them, we are not aware of
any academic algorithm or commercial product that has the
ability to automatically remedy the found vulnerabilities.

Our invention is concerned with automatically generating fixes
for secuirty vulnerabilities found in Web services. This is
done according to the following steps:
1. A (static or dynamic) security analysis tool is run, and
its output is made visible to our engine.
2. Our engine inspects the report, and for each
finding---based on the type of vulnerability and the
vulnerable entities---generates a custom remediation policy
using the WS-Policy standard, and make references to this
custom policy from the WSDL file associated with the Web
service.
3. Finally, our engine also adds custom handlers to the Web
service's policy parser to enable the processing of the newly
defined policy elements.

In what follows, we provide the concrete details of the
process outlined above. We do this through reference to an
exemplary WSDL file:

WSDL File


<definitions name="StockQuote"

targetNamespace="http://example.com/stockquote.wsdl"
xmlns:tns="http://example.com/stockquote.wsdl"
xmlns:xsd1="http://example.com/stockquote.xsd"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/">

      <schema targetNamespace="
http://example.com/stockquote.xsd"
xmlns="http://www.w3.org/2000/10/XMLSchema">

                   <element name="tickerSymbol"
type="string"/>

Ȉ ˇ ˄ ˙ ˄ ˝ ˙ ˛ Ȉ

Ȉ ˇ ˄ ˙ ˄ ˝ ˙ ˛ Ȉ Ȉ ˇ ˄ ˙ ˄ ˝ ˙ ˛ Ȉ


Page 02 of 6

   <binding name="StockQuoteSoapBinding"
type="tns:StockQuotePortType">

       <soap:binding style="document" transport="
http://schemas.xmlsoap.org/soap/http"/>

         <soap:operation soapAction="
http://example.com/GetLastTradePrice"/>

       

My first service


<port name="StockQuotePort"
binding="tns:StockQuoteBinding">

         <soap:address location="
http://example.com/stockquote"/>

Assume that a securiy analysis has been run on the Web service
corresponding to the above WSDL file, and one of its findings

2


Page 03 of 6

is a vulnerability of type SQLi

associated with parameter 'tickerSymbol' (of type string). (As
mentioned already, analyses for Web services are already
commercially available, and include, e.g., IBM RAtional
AppScan SE, which is a black-box tool.)

    To remedy the vulnerability automatically, our tool would
take the following steps:
1. It will attach a policy to the WSDL file, which would
instruct the Web service to first sanitize the relevant
parameter and only then pass it to the business logic. This
attachment is implemented using the WS...