My task regarding this master’s thesis was to overview the IT security related problems and vulnerabilities in web services. Web services are used in various environments and for various tasks, by using them large businesses can securely manage for example the communication between systems working with critical and sensitive data.
Using the risk management methodology applied in the field of IT security I studied the risk assessment and mitigation tactics proposed by NIST and OWASP. Following these methodologies I analysed some of the most critical well-known vulnerabilities in web services, had a general risk assessment for them and collected the risk mitigation factors which could be applied against these threats. I tried to use real-world examples wherever I could to demonstrate these security issues.
Following the risk management methodology (and an attacker’s typical methods) I gathered information about the available tools and methods for penetrating web services without known vulnerabilities. Using such security testing methods I ran several tests against Microsoft Windows Server 2008’s WinRM service, SQL Server 2005’s and Oracle 11g XDB’s web services. To validate these test methods I ran the same tests successfully against Oracle 9i Release 2, which had known buffer overflow vulnerability. Using the SPIKE fuzz testing framework I found the vulnerability, which can lead to remote code execution, however in the other target systems I haven’t identified any security problems.
As a result of this analysis I gained comprehensive knowledge in security of web services and identified some problems and missing features in the available testing tools. I believe it may worth to implement later these missing features in an open-source project.