Two Level Security Approaches System Architecture for Secure XML Database Centric Web Services against XpathInjections


ziah Asmawi,Lilly Suriani Affendey,NurIzura Udzir,Ramlan Mahmod,



Web Services,Web Services,Blind Xpath Injection,Model-Based,Hotspot,


Web services are deployed using eXtensible Markup Language (XML), which is an independent language for easy transportation and storage. As an important transportation for data, Web services has become increasingly vulnerable to malicious attacks that could affect essential properties of information systems such as confidentiality, integrity, or availability. Like any other application that allows outside user submission data, Web services can be susceptible to code injection attacks, specifically XPath (XML Path Language) injection attacks. This kind of attack can cause serious damage to the database at the backend of Web services as well as the data within it. To cope with this attack, it is necessary to develop effective and efficient secure mechanism from various angles, outsider and insider. This paper addresses both outsider and insider threats with respect to XPath injections in providing secure mechanism for XML database-centric Web services. We propose the two level security approaches for the ultimate solution within XML database-centric Web services. The first approach focuses on preventing malicious XPath input within Web services application. In order to address issues of XPath injections, we propose a model-based validation (XIPS) for XPath injection attack prevention in Web service applications. The second approach focuses on preventing insider threat within XML database. In order to deal with insider threat, we propose a severity-aware trust-based access control model (XTrust) for malicious XPath code in XML database.


I.A. Klein, Blind XPath Injection. (2005). Whitepaper from Watchfire, Director of Security and Research, Sanctum, (2004) 1–10.

II.J. Blasco, Introduction to XPath Injection techniques,(2007),24–31.

III.Jinghua Groppe,Sven Groppe,Filtering unsatisfiable XPath queries”, Journal Data & Knowledge Engineering , Vol.64 No. 1,Amsterdam, (2008)134-169.

IV.D. Mitropoulos,Fortifying Applications Against Xpath Injection Attacks, (2009), 1169–1179.

V.N. Antunes, N. Laranjeiro, M. Vieira, & H. Madeira,Effective detection of SQL/XPath Injection vulnerabilities in web services. SCC 2009 -2009 IEEE International Conference on Services Computing, (2009), 260–267.

VI.Shanmughaneethi, Ravichandran, & Swamynathan,PXpathV: Preventing XPath Injection Vulnerabilities in Web Applications. International Journal on Web Service Computing, 2(3), (2011), 57–64.

VII.S. Karumanchi, & A. Squicciarini, A Large Scale Study of Web Service Vulnerabilities.Journal of Internet Services and Information Security (JISIS),5(1), (2015), 53-69.

View | Download