JSW 2019 Vol.14(11): 530-547 ISSN: 1796-217X
doi: 10.17706/jsw.14.11.530-547
doi: 10.17706/jsw.14.11.530-547
Cross Site Scripting Vulnerabilities in JAX-RS: A Security Approach
John Velandia*, Jessica Ortiz , Julian Sierra, Roger Guzman
Faculty of Engineering, Universidad Cato lica de Colombia, Bogota , Colombia.
Abstract—Restful services are concerned with the integration of software systems using HTTP as base. Research studies addressing security assessments over JAX-RS are scarce, even more in Cross Site Scripting (XSS), which is a sort of attack that consists of stealing data or phishing. Thus, the aim of this paper is to present an assessment of the vulnerabilities over JAX-RS implementations when a XSS attack is involved. The assessment comprises: (1) selection of attack methods, (2) programming and assessing of attacks throughout dynamic programming and recursive methods; (3) identifying the vulnerabilities by means of a mathematical model, which determines the level of security of implementations. As a proof of concept, a prototype is implemented to demonstrate how the guideline is applied. Additionally, controls are proposed for every vulnerability identified.
Index Terms—JAX-RS, Restful services, vulnerability, security, cross site scripting, dynamic programming, apache CXF, RestEasy, Jersey, Restlet.
Abstract—Restful services are concerned with the integration of software systems using HTTP as base. Research studies addressing security assessments over JAX-RS are scarce, even more in Cross Site Scripting (XSS), which is a sort of attack that consists of stealing data or phishing. Thus, the aim of this paper is to present an assessment of the vulnerabilities over JAX-RS implementations when a XSS attack is involved. The assessment comprises: (1) selection of attack methods, (2) programming and assessing of attacks throughout dynamic programming and recursive methods; (3) identifying the vulnerabilities by means of a mathematical model, which determines the level of security of implementations. As a proof of concept, a prototype is implemented to demonstrate how the guideline is applied. Additionally, controls are proposed for every vulnerability identified.
Index Terms—JAX-RS, Restful services, vulnerability, security, cross site scripting, dynamic programming, apache CXF, RestEasy, Jersey, Restlet.
Cite: John Velandia*, Jessica Ortiz , Julian Sierra, Roger Guzman, "Cross Site Scripting Vulnerabilities in JAX-RS: A Security Approach," Journal of Software vol. 14, no. 11, pp. 530-547, 2019.
General Information
ISSN: 1796-217X (Online)
Frequency: Quarterly
Editor-in-Chief: Prof. Antanas Verikas
Executive Editor: Ms. Yoyo Y. Zhou
Abstracting/ Indexing: DBLP, EBSCO, CNKI, Google Scholar, ProQuest, INSPEC(IET), ULRICH's Periodicals Directory, WorldCat, etc
E-mail: jsweditorialoffice@gmail.com
-
Mar 01, 2024 News!
Vol 19, No 1 has been published with online version [Click]
-
Jan 04, 2024 News!
JSW will adopt Article-by-Article Work Flow
-
Apr 01, 2024 News!
Vol 14, No 4- Vol 14, No 12 has been indexed by IET-(Inspec) [Click]
-
Apr 01, 2024 News!
Papers published in JSW Vol 18, No 1- Vol 18, No 6 have been indexed by DBLP [Click]
-
Nov 02, 2023 News!
Vol 18, No 4 has been published with online version [Click]