Open Access Open Access  Restricted Access Subscription or Fee Access

Design and Develop Misconfiguration Vulnerabilities Scanner for Web Applications

Aidmar Wainakh(1*), Ahmad Wabbi(2), Bassel Alkhatib(3)

(1) Syrian Virtual University, Syrian Arab Republic
(2) Syrian Virtual University, Syrian Arab Republic
(3) Faculty of Information Technology Engineering- Damascus University, Syrian Arab Republic
(*) Corresponding author


DOI: https://doi.org/10.15866/irecos.v9i10.3840

Abstract


Misconfiguration is one of the most critical Web vulnerabilities, still it does not receive enough attention. Applying general security practices and general remediation proved inefficiency in dealing with this type of vulnerabilities. In this research, we discuss and highlight several issues in order to enhance misconfiguration detection, quantifying and fixing. Our approach detects misconfiguration based on extended set of security-related configurations, then quantify the vulnerabilities according to the environment characteristics, using the most recent scoring standard in this field and recommend customized secure remediation. We implemented our approach in a tool called MVS, and we were able to evaluate seven Apache-MySQL-PHP packages, ten open source Web applications and seven online websites. Our experiments revealed that the tool is able to detect misconfigurations at both the environment level and the application level, then recommend customized and secure remediation.
Copyright © 2014 Praise Worthy Prize - All rights reserved.

Keywords


Web Applications; Web Security; Vulnerability; Misconfiguration; CCSS; Customized Remediation

Full Text:

PDF


References


World Wide Web Size, “The size of the World Wide Web,” http://www.worldwideWebsize.com
http://dx.doi.org/10.1007/11280.1573-1413

WhiteHat. 2013. “Website Security Statistics Report,”.

J. Tudor. 2013. “Web Application Vulnerability Statistics 2013,” Context.

S. Zhang and M.D. Ernst. 2013. “Automated Diagnosis of Software Configuration Errors,” in ICSE.IEEE.
http://dx.doi.org/10.1109/icse.2013.6606577

D. Subramanian, H.T. Le, P.K.K. Loh and A.B. Premkumar. 2010. “Quantitative Evaluation of Related Web-based Vulnerabilities,” in SSIRI-C.IEEE.
http://dx.doi.org/10.1109/ssiri-c.2010.30

M.M. Casalino, M. Mangili, H. Plate, and S. E. Ponta. 2012. “Detection of Configuration Vulnerabilities in Distributed (Web) Environments,” CoRR, vol. abs/1206.6757.
http://dx.doi.org/10.1007/978-3-642-36883-7_9

B. Eshete, A. Villafiorita, and K. Weldemariam. 2011. “Early Detection of Security Misconfiguration Vulnerabilities in Web Applications,” in ARES. IEEE.
http://dx.doi.org/10.1109/ares.2011.31

B. Eshete, A. Villafiorita, K. Weldemariam, and M. Zulkernine. 2013. “Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications,” in SERE.IEEE.
http://dx.doi.org/10.1109/sere.2013.30

OWASP. 2013. “OWASP Top 10 – 2013”.
http://dx.doi.org/10.1007/978-3-642-16120-9_10

PHP. 2013. “PHP Security Manual,” http://php.net/manual/en/security.php
http://dx.doi.org/10.1007/978-1-4302-0057-4

MySQL. 2013. “MySQL Secure Installation,” http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html
http://dx.doi.org/10.1007/978-1-4302-0048-2_14

MySQL, “Security-Related mysqld Options and Variables” http://dev.mysql.com/doc/refman/5.0/en/security-options.html

Cyberciti. 2013. “Linux: 25 PHP Security Best Practices for Sys Admins,” http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

TechRepublic. 2013. “10 things you should do to secure Apache,” http://www.techrepublic.com/blog/10things/10-things-you-should-do-to-secure-apache/477

Tecmint, “13 Apache Web Server Security and Hardening Tips,” http://www.tecmint.com/apache-security-tips/

OWASP, “PHP Configuration Cheat Sheet” https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet

Ch. Kumar. 2013. “10 Best Practices To Secure and Harden Your Apache Web Server,” http://chandank.com/security/10-best-practices-to-secure-and-harden-your-apache-Web-server

OWASP. 2013. “OWASP Configuration Guide,” https://www.owasp.org/index.php/Configuration.

Oracle. 2013. “Web Application Security Configuration Guide,” http://docs.oracle.com/cd/E28595 01/Web App Security Guide.pdf

High-Tech Bridge, “Web Applications Vulnerabilities CVSSv2 Calculator” https://www.htbridge.com/cvss_web_calculator/

NVD, “Common Vulnerability Scoring System Version 2 Calculator” http://nvd.nist.gov/cvss.cfm?calculator&version=2

S. Wieczorek. 2012. “Best Practice for Highest Performance,” http://www.mgt-commerce.com/blog/magento-on-steroids-best-practice-for-highest-performance/

Zakrani, A., Idri, A., Applying radial basis function neural networks based on fuzzy clustering to estimate web applications effort, (2010) International Review on Computers and Software (IRECOS), 5 (5), pp. 516-524.

Hamtini, T.M., Hudaib, A.A., Measuring e-learning web-based application usability, (2012) International Review on Computers and Software (IRECOS), 7 (1), pp. 67-73.

Priyadharshini, M., Baskaran, R., Balaji, N., Saleem Basha, M.S., Analysis on countering XML-based attacks in web services, (2013) International Review on Computers and Software (IRECOS), 8 (9), pp. 2197-2204.


Refbacks

  • There are currently no refbacks.



Please send any question about this web site to info@praiseworthyprize.com
Copyright © 2005-2019 Praise Worthy Prize