JSW 2019 Vol.14(11): 530-547 ISSN: 1796-217X
doi: 10.17706/jsw.14.11.530-547
doi: 10.17706/jsw.14.11.530-547
Cross Site Scripting Vulnerabilities in JAX-RS: A Security Approach
John Velandia*, Jessica Ortiz , Julian Sierra, Roger Guzman
Faculty of Engineering, Universidad Cato lica de Colombia, Bogota , Colombia.
Abstract—Restful services are concerned with the integration of software systems using HTTP as base. Research studies addressing security assessments over JAX-RS are scarce, even more in Cross Site Scripting (XSS), which is a sort of attack that consists of stealing data or phishing. Thus, the aim of this paper is to present an assessment of the vulnerabilities over JAX-RS implementations when a XSS attack is involved. The assessment comprises: (1) selection of attack methods, (2) programming and assessing of attacks throughout dynamic programming and recursive methods; (3) identifying the vulnerabilities by means of a mathematical model, which determines the level of security of implementations. As a proof of concept, a prototype is implemented to demonstrate how the guideline is applied. Additionally, controls are proposed for every vulnerability identified.
Index Terms—JAX-RS, Restful services, vulnerability, security, cross site scripting, dynamic programming, apache CXF, RestEasy, Jersey, Restlet.
Abstract—Restful services are concerned with the integration of software systems using HTTP as base. Research studies addressing security assessments over JAX-RS are scarce, even more in Cross Site Scripting (XSS), which is a sort of attack that consists of stealing data or phishing. Thus, the aim of this paper is to present an assessment of the vulnerabilities over JAX-RS implementations when a XSS attack is involved. The assessment comprises: (1) selection of attack methods, (2) programming and assessing of attacks throughout dynamic programming and recursive methods; (3) identifying the vulnerabilities by means of a mathematical model, which determines the level of security of implementations. As a proof of concept, a prototype is implemented to demonstrate how the guideline is applied. Additionally, controls are proposed for every vulnerability identified.
Index Terms—JAX-RS, Restful services, vulnerability, security, cross site scripting, dynamic programming, apache CXF, RestEasy, Jersey, Restlet.
Cite: John Velandia*, Jessica Ortiz , Julian Sierra, Roger Guzman, "Cross Site Scripting Vulnerabilities in JAX-RS: A Security Approach," Journal of Software vol. 14, no. 11, pp. 530-547, 2019.
General Information
ISSN: 1796-217X (Online)
Frequency: Bimonthly
Editor-in-Chief: Prof. Antanas Verikas
Executive Editor: Ms. Yoyo Y. Zhou
Abstracting/ Indexing: DBLP, EBSCO, CNKI, Google Scholar, ProQuest, INSPEC(IET), ULRICH's Periodicals Directory, WorldCat, etc
E-mail: jsw@iap.org
-
Apr 26, 2021 News!
Vol 14, No 4- Vol 14, No 12 has been indexed by IET-(Inspec) [Click]
-
Nov 18, 2021 News!
Papers published in JSW Vol 16, No 1- Vol 16, No 6 have been indexed by DBLP [Click]
-
Dec 24, 2021 News!
Vol 15, No 1- Vol 15, No 6 has been indexed by IET-(Inspec) [Click]
-
Nov 18, 2021 News!
[CFP] 2022 the annual meeting of JSW Editorial Board, ICCSM 2022, will be held in Rome, Italy, July 21-23, 2022 [Click]
-
Jul 26, 2022 News!
Vol 17, No 5 has been published with online version [Click]