Adding Security to Web Services: An Automatic, Verifiable, and Centralized Mechanism for Web Services Input Validation

Abstract

Accepting unvalidated input is considered today's greatest web security threat. This master's thesis addresses that threat by proposing an automatic and centralized mechanism for validating web services input. By building on existing web services standards, the proposed solution intercepts incoming web service requests and validates them against a security policy. A major design goal for this work was to realize web services input validation without modifying existing functionality. That is, the input validation security mechanism should be added out of code. This is achieved by keeping the web services and the validation mechanism separate. Input validation configuration is accomplished by modifying a configuration file. Even when the validation mechanism logic is correct, it may not function as intended. Such anomalies are in most cases caused by human-introduced errors in the configuration file, resulting in the need for a configuration file verification tool. This thesis proposes a verification tool that quantifies the level of security by analyzing the configuration file.