Title: Seguridad de JAX-RS frente a ataques por inyección de código
Authors: Fugo González, Juan Carlos
Rivera Oviedo, Jael Alexander
Director(s): Velandia Vega, John Alexander, dir.
Keywords: API
REST
CODE-INJECTION
JAX-RS
SEGURIDAD
HTTP
SEGURIDAD
Issue Date: 2016
Citation: Fuyo González, J. C. & Rivera Oviedo, J. A. (2017). Seguridad de JAX-RS frente a ataques por inyección de código. Trabajo de Grado. Universidad Católica de Colombia. Facultad de Ingeniería. Programa de Ingeniería de Sistemas. Bogotá, Colombia
Abstract: Se implementan tres algoritmos de ataques de inyección de código. Teniendo en cuenta estos algoritmos se definen los requerimientos para diseñar y desarrollar el prototipo, se describe la arquitectura de la aplicación, además del escenario de pruebas donde se encuentran los servicios Web a ser atacados. Por último se indican los niveles de vulnerabilidad encontrados en cada una de las implementaciones seleccionadas y se finaliza con un análisis de los resultados y algunas conclusiones de la investigación.
Description: 105
Bibliography References: OWASP, “OWASP,” OWASP.ORG, 2015. .

E. J and C. Linksource, “SOA, Web Services, And RESTful Systems.,” World, 2007.

E. J. Bruno, “SOA, Web Services, and RESTful Systems,” Dr. Dobb’s J. - ProQuest Sci. Journals, vol. 1, p. 5, 2007.

C. Davis, “What if the Web Were not RESTful?,” EMC Corp., vol. 1, p. 8, 2011.

R. T. Fielding, “Architectural Styles and the Design of Network-based Software Architectures,” Building, vol. 54, p. 162, 2000.

M. Little, “A Comparison of JAX-RS Implementations,” infoq/news, 2008. .

Q. U. É. Son, L. A. S. Vulnerabilidades, and D. E. L. Software, “¿Qué son las vulnerabilidades del software?,” pp. 1–11, 2014.

Edward Hunt, “US Government Computer Penetration Programs and the gImplications for Cyberwar,” IEEE Ann. Hist. Comput., vol. 34, no. undefined, pp. 4– 21, 2012.

OWASP, “OWASP Zed Attack Proxy Project,” OWASP Zed Attack Proxy Proj., 2016.

A. B. L. y Andrea Alarc�n Aldana y Mauro Callejas Cuervo, “Vulnerabilidad de Ambientes Virtuales de Aprendizaje utilizando SQLMap, RIPS, W3AF y Nessus [Vulnerability in Virtual Learning Environments using SQLMap, RIPS, W3AF and Nessus],” Vent. Inform�tica, vol. 0, no. 30, 2014.

W. G. J. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-injection Attacks,” in Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, 2005, pp. 174–183.

S. W. Boyd and A. D. Keromytis, “SQLrand: Preventing SQL Injection Attacks,” in Applied Cryptography and Network Security: Second International Conference, ACNS 2004, Yellow Mountain, China, June 8-11, 2004. Proceedings, M. Jakobsson, M. Yung, and J. Zhou, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 292–302.

M. SQL, “SQL Injection,” 2011.

O. and/or its Affiliates, “Building RESTful Web Services with JAX-RS,” Oracle and/or its affiliates, 2013. .

J. Evdemon, “understanding services,” in SOA in the real World, 1st ed., 2011, p. 195.

H. Li, “RESTful Web Service Frameworks in Java,” Informatiz. Off. Shanghai Lixin Univ. Commer. Shanghai, 201620, China, vol. 1, p. 4, 2016.

N. Balani and R. Hathi, Apache CXF Web Service Development. 2009

R. W. Services, “RESTEasy JAX-RS.”

I. Rest, “7 implementaciones,” pp. 130–137.

A. Wink, “Apache Wink 1.1,” pp. 3–121, 2010.

M. Alfonso, Cifrado de las comunicaciones digitales, de la cifra clasica al algoritmo RSA. 2006.

I. K. Center, “Protección de recursos JAX-RS,” IBM Documentation, 2015.

C. Pautasso and E. Wilde, “RESTful Web Services: Principles, Patterns, Emerging Technologies,” Raleigh • NC • USA, vol. 1, p. 2, 2010.

U. Yael, “Entorno para Experimentación de Vulnerabilidades en la Ensenanza de Buenas Practicas de Programación.”

M. Fuksa and M. Gajdo, “Securing JAX-RS RESTful services.”

Cwe, “CWE - 2011 cwe/sans top 25 most dangerous software errors,” SANS Inst., p. 41, 2011.

A. Klein, “Blind XPath Injection,” pp. 1–10, 2004

“Live Experiments depicting SQL Injection Attacks,” pp. 91–93

J. M. Alonso, R. Bordon, M. Beltran, and A. Guzman, “LDAP injection techniques,” in Communication Systems, 2008. ICCS 2008. 11th IEEE Singapore International Conference on, 2008, pp. 980–986.

Z. Su and G. Wassermann, “The Essence of Command Injection Attacks in Web Applications,” in Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 372–382.

B. Sullivan, “Server-side JavaScript injection,” Black Hat USA, 2011.

K.-J. Lin, “SMTP-1: The First Functionalized Metalloporphyrin Molecular Sieves with Large Channels,” Angew. Chemie Int. Ed., vol. 38, no. 18, pp. 2730–2732, 1999.

B. M. Bowen, V. P. Kemerlis, P. Prabhu, A. D. Keromytis, and S. J. Stolfo, “Automating the injection of believable decoys to detect snooping,” in Proceedings of the third ACM conference on Wireless network security, 2010, pp. 81–86.

D. Html and C. S. S. Javascript, “Índice.”

E. Janot and P. Zavarsky, “Preventing SQL Injections in Online Applications : Study , Recommendations and Java Solution Prototype Based on the SQL DOM,” 2008.

C. Commons, “OWASP Top 10 2013 Los Diez Riesgos Más Críticos en Aplicaciones Web,” p. 22, 2013.

M. Montenegro, “Interfaces gráficas con Swing Introducción,” vol. 467.

E. Moreno, “Web Page Development Web Page.”

“Getting Started with AWS.”

J. Yances and S. Murillo, “Software Requirements Specification,” pp. 1–31, 2008.

F. De Ciencias and D. Administración, “Universidad del Azuay,” no. Vdi, 2015

F. Barnsteiner and M. Theis, “2011 [ RESTful Webservices mit,” 2011.

C. Servlets, “Controlling g Web Application Behavior,” 2009.

“Generic Webshop System with JPA.”
URI: http://hdl.handle.net/10983/14720
Appears in Collections:ACI. Pregrado Sistemas

Files in This Item:
File Description SizeFormat 
Documento.pdf2.41 MBAdobe PDFThumbnail
View/Open
RAE.pdf192.34 kBAdobe PDFThumbnail
View/Open


This item is protected by original copyright



Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.