Browser unable to execute script; please use the site map to navigate the site.

A Taxonomy of Web Service Attacks

Chan, Olivier, and van Heerden


(Citation)Citation information

K. F. P. Chan, M. S. Olivier, and R. P. van Heerden. “A Taxonomy of Web Service Attacks”. In: Proceedings of ICIW 2013 — The 8th International Conference on Information Warfare and Security. Ed. by D. Hart. Denver, Colorado, USA: Academic Conferences and Publishing, Mar. 2013, pp. 34–42


Web Services (WS) have become a popular application of Service Oriented Architecture (SOA) in many organisations for financial, governmental and military purposes. This is due to WS’s ability to integrate seamlessly with other existing services and legacy systems in real time. This level of composition can create a chain of interdependencies between systems to address a complex transaction in real time. Such composition is possible using choreographies, orchestrations, dynamic invocations, and brokers. Messages are based on open standard web technologies, such as Simple Object Access Protocol (SOAP) and Extensible Markup Language (XML). As a result, WS can be deployed on any existing internet protocol. Unfortunately, such capability does not come without disadvantages. In addition to being exposed to internet protocol attacks, they are exposed to attacks that specifically target WS technologies. In the event of an attack, multiple organisations in the chain can be affected, resulting in services not being available and possible financial loss. In order to build more effective defence systems, one needs to understand the attacks and their effects. A taxonomy provides a way to understand attacks through its classification. However, there is a lack of standard classification of Web Service attacks. As such, a taxonomy of WS attacks is proposed. This paper begins by discussing possible WS attacks, supported by practical examples. The attacks are then grouped and classified based on three parameters: WS layer, attack methodology and effect. The resulting taxonomy helps to understand WS attacks. Furthermore, the proposed taxonomy provides the flexibility to classify new WS attacks in a SOA environment.

(Authoritative version on publisher's site)Definitive version

The definitive version of the paper is available from the publisher.
URL: //

(BibTeX record)BibTeX reference

author={Ka Fai Peter Chan and Martin S Olivier and van Heerden, Renier Pelser},
title={A Taxonomy of Web Service Attacks},
address={Denver, Colorado, USA},
booktitle={Proceedings of ICIW 2013 --- The 8th International Conference on Information Warfare and Security},
editor={Doug Hart},
publisher={Academic Conferences and Publishing},
year={2013} )