Detection of Lightweight Directory Access Protocol Query Injection Attacks in Web Applications

The Lightweight Directory Access Protocol (LDAP) is a common protocol used in organizations for Directory Service. LDAP is popular because of its features such as representation of data objects in hierarchical form, being open source and relying on TCP/IP, which is necessary for Internet access. However, with LDAP being used in a large number of web applications, different types of LDAP injection attacks are becoming common. The idea behind LDAP injection attacks is to take advantage of an application not validating inputs before being used as part of LDAP queries. An attacker can provide inputs that may result in alteration of intended LDAP query structure. LDAP injection attacks can lead to various types of security breaches including (i) Login Bypass, (ii) Information Disclosure, (iii) Privilege Escalation, and (iv) Information Alteration. Despite many research efforts focused on traditional SQL Injection attacks, most of the proposed techniques cannot be suitably applied for mitigating LDAP injection attacks due to syntactic and semantic differences between LDAP and SQL queries. Many implemented web applications remain vulnerable to LDAP injection attacks. In particular, there has been little attention for testing web applications to detect the presence of LDAP query injection attacks. The aim of this thesis is two folds: First, study various types of LDAP injection attacks and vulnerabilities reported in the literature. The planned research is to critically examine and evaluate existing injection mitigation techniques using a set of open source applications reported to be vulnerable to LDAP query injection attacks. Second, propose an approach to detect LDAP injection attacks by generating test cases when developing secure web applications. In particular, the thesis focuses on specifying signatures for detecting LDAP injection attack types using Object Constraint Language (OCL) and evaluates the proposed approach using PHP web applications. We also measure the effectiveness of generated test cases using a metric named Mutation Score

Combining SOA and BPM Technologies for Cross-System Process Automation

This paper summarizes the results of an industry case study that introduced a cross-system business process automation solution based on a combination of SOA and BPM standard technologies (i.e., BPMN, BPEL, WSDL). Besides discussing major weaknesses of the existing, custom-built, solution and comparing them against experiences with the developed prototype, the paper presents a course of action for transforming the current solution into the proposed solution. This includes a general approach, consisting of four distinct steps, as well as specific action items that are to be performed for every step. The discussion also covers language and tool support and challenges arising from the transformation

Automated Realistic Test Input Generation and Cost Reduction in Service-centric System Testing

Service-centric System Testing (ScST) is more challenging than testing traditional software due to the complexity of service technologies and the limitations that are imposed by the SOA environment. One of the most important problems in ScST is the problem of realistic test data generation. Realistic test data is often generated manually or using an existing source, thus it is hard to automate and laborious to generate. One of the limitations that makes ScST challenging is the cost associated with invoking services during testing process. This thesis aims to provide solutions to the aforementioned problems, automated realistic input generation and cost reduction in ScST. To address automation in realistic test data generation, the concept of Service-centric Test Data Generation (ScTDG) is presented, in which existing services used as realistic data sources. ScTDG minimises the need for tester input and dependence on existing data sources by automatically generating service compositions that can generate the required test data. In experimental analysis, our approach achieved between 93% and 100% success rates in generating realistic data while state-of-the-art automated test data generation achieved only between 2% and 34%. The thesis addresses cost concerns at test data generation level by enabling data source selection in ScTDG. Source selection in ScTDG has many dimensions such as cost, reliability and availability. This thesis formulates this problem as an optimisation problem and presents a multi-objective characterisation of service selection in ScTDG, aiming to reduce the cost of test data generation. A cost-aware pareto optimal test suite minimisation approach addressing testing cost concerns during test execution is also presented. The approach adapts traditional multi-objective minimisation approaches to ScST domain by formulating ScST concerns, such as invocation cost and test case reliability. In experimental analysis, the approach achieved reductions between 69% and 98.6% in monetary cost of service invocations during testin

Data-Driven Detection and Diagnosis of System-Level Failures in Middleware-Based Service Compositions

Service-oriented technologies have simplified the development of large, complex software systems that span administrative boundaries. Developers have been enabled to build applications as compositions of services through middleware that hides much of the underlying complexity. The resulting applications inhabit complex, multi-tier operating environments that pose many challenges to their reliable operation and often lead to failures at runtime. Two key aspects of the time to repair a failure are the time to its detection and to the diagnosis of its cause. The prevalent approach to detection and diagnosis is primarily based on ad-hoc monitoring as well as operator experience and intuition. This is inefficient and leads to decreased availability. We propose an approach to data-driven detection and diagnosis in order to decrease the repair time of failures in middleware-based service compositions. Data-driven diagnosis supports system operators with information about the operation and structure of a service composition. We discuss how middleware-based service compositions can be monitored in a comprehensive, yet non-intrusive manner and present a process to discover system structure by processing deployment information that is commonly reified in such systems. We perform a controlled experiment that compares the performance of 22 participants using either a standard or the data-driven approach to diagnose several failures injected into a real-world service composition. We find that system operators using the latter approach are able to achieve significantly higher success rates and lower diagnosis times. Data-driven detection is based on the automation of failure detection through applying an outlier detection technique to multi-variate monitoring data. We evaluate the effectiveness of one-class classification for this purpose and determine a simple approach to select subsets of metrics that afford highly accurate failure detection

Interactive assessment of simulated service qualities by business stakeholders: principles and research issues

We present the principles of an approach supporting the stakeholder involvement in a software process for service-oriented systems in a form of assessing the perceived quality of the software under development in its usage context. This method relies on interactive simulation of service performance and reliability; simulation models are parameterized by the factors influencing service execution; business stakeholders experience simulated service qualities in simulated usage contexts and assess this experience; the obtained assessments can be later used throughout the system lifecycle as a means of control for the quality of the software under development.Наведено принципи підходу, що підтримує участь зацікавлених осіб у процесі розробки сервіс-орієнтованих програмних систем у вигляді оцінювання сприйманої якості розроблюваної системи в контексті її використання. Цей підхід спирається на інтерактивне імітаційне моделювання продуктивності та надійності сервісів; параметрами імітаційних моделей є фактори, що впливають на виконання сервісів; зацікавлені особи висловлюють своє відношення до значень продуктивності та надійності, отриманих при взаємодії з імітаційними моделями якості сервісів у рамках виконання імітаційних моделей їх контекстів використання, надані оцінки можуть бути використані на різних етапах життєвого циклу програмного забезпечення як засоби контролю його якості

Resilient and Trustworthy Dynamic Data-driven Application Systems (DDDAS) Services for Crisis Management Environments

Future crisis management systems needresilient and trustworthy infrastructures to quickly develop reliable applications and processes, andensure end-to-end security, trust, and privacy. Due to the multiplicity and diversity of involved actors, volumes of data, and heterogeneity of shared information;crisis management systems tend to be highly vulnerable and subjectto unforeseen incidents. As a result, the dependability of crisis management systems can be at risk. This paper presents a cloud-based resilient and trustworthy infrastructure (known as rDaaS) to quickly develop secure crisis management systems. The rDaaS integrates the Dynamic Data-Driven Application Systems (DDDAS) paradigm into a service-oriented architecture over cloud technology and provides a set of resilient DDDAS-As-A Service (rDaaS) components to build secure and trusted adaptable crisis processes. The rDaaS also ensures resilience and security by obfuscating the execution environment and applying Behavior Software Encryption and Moving Technique Defense. A simulation environment for a nuclear plant crisis management case study is illustrated to build resilient and trusted crisis response processes

A service orientated architecture and wireless sensor network approach applied to the measurement and visualisation of a micro injection moulding process. Design, development and testing of an ESB based micro injection moulding platform using Google Gadgets and business processes for the integration of disparate hardware systems on the factory shop floor

Factory shop floors of the future will see a significant increase in interconnected devices for monitoring and control. However, if a Service Orientated Architecture (SOA) is implemented on all such devices then this will result in a large number of permutations of services and composite services. These services combined with other business level components can pose a huge challenge to manage as it is often difficult to keep an overview of all the devices, equipment and services. This thesis proposes an SOA based novel assimilation architecture for integrating disparate industrial hardware based processes and business processes of an enterprise in particular the plastics machinery environment. The key benefits of the proposed architecture are the reduction of complexity when integrating disparate hardware platforms; managing the associated services as well as allowing the Micro Injection Moulding (µIM) process to be monitored on the web through service and data integration. An Enterprise Service Bus (ESB) based middleware layer integrates the Wireless Sensor Network (WSN) based environmental and simulated machine process systems with frontend Google Gadgets (GGs) based web visualisation applications. A business process framework is proposed to manage and orchestrate the resulting services from the architecture. Results from the analysis of the WSN kits in terms of their usability and reliability showed that the Jennic WSN was easy to setup and had a reliable communication link in the polymer industrial environment with the PER being below 0.5%. The prototype Jennic WSN based µIM process monitoring system had limitations when monitoring high-resolution machine data, therefore a novel hybrid integration architecture was proposed. The assimilation architecture was implemented on a distributed server based test bed. Results from test scenarios showed that the architecture was highly scalable and could potentially allow a large number of disparate sensor based hardware systems and services to be hosted, managed, visualised and linked to form a cohesive business process

Journal of Telecommunications and Information Technology, 2014, nr 4

kwartalni