Web services are essential for online interactions, supporting critical tasks like banking and shopping, but their importance also makes them prime targets for attacks. Attackers try to manipulate data injecting malicious code, potentially compromising systems. Current approaches to preventing such attacks use techniques like attack grammars, symbolic execution, or machine learning to detect vulnerabilities or manually embed malicious payloads, that can miss parts of the service under test.
In this paper, we propose XAVIER, a framework for detecting XML injection vulnerabilities. By leveraging the WSDL specification of a web service, XAVIER crafts XML messages that reflect the service’s functionality, enabling the examination of web services for XMLi vulnerabilities. Results show that XAVIER performs equally, or better than the state-of-the-art tool, SOAP UI PRO. Compared to the latter, XAVIER is open source and extensible, providing a platform for future research in the field.
Fri 27 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
16:00 - 17:30 | Fuzzing and Search-Based TestingResearch Papers / Tool Demonstrations at Cosmos 3C Chair(s): Thuan Pham University of Melbourne | ||
16:00 25mTalk | ZTaint-Havoc: From Havoc Mode to Zero-Execution Fuzzing-Driven Taint Inference Research Papers Yuchong Xie Hong Kong University of Science and Technology, Wenhui Zhang Hunan University, Changsha, China, Dongdong She HKUST (The Hong Kong University of Science and Technology) DOI | ||
16:25 25mTalk | WildSync: Automated Fuzzing Harness Synthesis via Wild API Usage Recovery Research Papers DOI | ||
16:50 25mTalk | FANDANGO: Evolving Language-Based Testing Research Papers José Antonio Zamudio Amaya CISPA Helmholtz Center for Information Security, Marius Smytzek CISPA Helmholtz Center for Information Security, Andreas Zeller CISPA Helmholtz Center for Information Security Link to publication DOI | ||
17:15 15mDemonstration | XAVIER: Grammar-Based Testing for XML Injection Attacks Tool Demonstrations Paul Kalbitzer , José Antonio Zamudio Amaya CISPA Helmholtz Center for Information Security, Andreas Zeller CISPA Helmholtz Center for Information Security | ||
Cosmos 3C is the third room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.