Approach to Testing and Codification of Web Services Attacks (abstract)

An earlier research project carried out by the CADS team developed a prototype testing harness that enabled manual re-configuration and testing of XML attacks. From manual testing it was apparent that thorough testing, especially the process of reconfiguring and re-running attacks each possible configuration along the dimensions of vulnerability, requires a great deal of repetitive and time-consuming configuration which should be automated. This paper describes a system for automatic testing the effectiveness of network attacks on XML-enabled applications. It describes a testing harness developed for verifying a large number of attack approaches on the attacker end and software configurations on the target end. The design for a new harness has been developed, which allows the user to specify the attack instances dimension in the form of a single type spanning attack application and the concrete application data chain dimension in the form of an abstract application data chain and a single Web service script. A request to test an attack type can be made through a web interface. The paper also discussed the uses of virtualization in automatic testing and configuration management.

To be published