Open Access Open Access  Restricted Access Subscription or Fee Access

Design and Develop Misconfiguration Vulnerabilities Scanner for Web Applications

Aidmar Wainakh(1*), Ahmad Wabbi(2), Bassel Alkhatib(3)

(1) Syrian Virtual University, Syrian Arab Republic
(2) Syrian Virtual University, Syrian Arab Republic
(3) Faculty of Information Technology Engineering- Damascus University, Syrian Arab Republic
(*) Corresponding author



Misconfiguration is one of the most critical Web vulnerabilities, still it does not receive enough attention. Applying general security practices and general remediation proved inefficiency in dealing with this type of vulnerabilities. In this research, we discuss and highlight several issues in order to enhance misconfiguration detection, quantifying and fixing. Our approach detects misconfiguration based on extended set of security-related configurations, then quantify the vulnerabilities according to the environment characteristics, using the most recent scoring standard in this field and recommend customized secure remediation. We implemented our approach in a tool called MVS, and we were able to evaluate seven Apache-MySQL-PHP packages, ten open source Web applications and seven online websites. Our experiments revealed that the tool is able to detect misconfigurations at both the environment level and the application level, then recommend customized and secure remediation.
Copyright © 2014 Praise Worthy Prize - All rights reserved.


Web Applications; Web Security; Vulnerability; Misconfiguration; CCSS; Customized Remediation

Full Text:



World Wide Web Size, “The size of the World Wide Web,”

WhiteHat. 2013. “Website Security Statistics Report,”.

J. Tudor. 2013. “Web Application Vulnerability Statistics 2013,” Context.

S. Zhang and M.D. Ernst. 2013. “Automated Diagnosis of Software Configuration Errors,” in ICSE.IEEE.

D. Subramanian, H.T. Le, P.K.K. Loh and A.B. Premkumar. 2010. “Quantitative Evaluation of Related Web-based Vulnerabilities,” in SSIRI-C.IEEE.

M.M. Casalino, M. Mangili, H. Plate, and S. E. Ponta. 2012. “Detection of Configuration Vulnerabilities in Distributed (Web) Environments,” CoRR, vol. abs/1206.6757.

B. Eshete, A. Villafiorita, and K. Weldemariam. 2011. “Early Detection of Security Misconfiguration Vulnerabilities in Web Applications,” in ARES. IEEE.

B. Eshete, A. Villafiorita, K. Weldemariam, and M. Zulkernine. 2013. “Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications,” in SERE.IEEE.

OWASP. 2013. “OWASP Top 10 – 2013”.

PHP. 2013. “PHP Security Manual,”

MySQL. 2013. “MySQL Secure Installation,”

MySQL, “Security-Related mysqld Options and Variables”

Cyberciti. 2013. “Linux: 25 PHP Security Best Practices for Sys Admins,”

TechRepublic. 2013. “10 things you should do to secure Apache,”

Tecmint, “13 Apache Web Server Security and Hardening Tips,”

OWASP, “PHP Configuration Cheat Sheet”

Ch. Kumar. 2013. “10 Best Practices To Secure and Harden Your Apache Web Server,”

OWASP. 2013. “OWASP Configuration Guide,”

Oracle. 2013. “Web Application Security Configuration Guide,” 01/Web App Security Guide.pdf

High-Tech Bridge, “Web Applications Vulnerabilities CVSSv2 Calculator”

NVD, “Common Vulnerability Scoring System Version 2 Calculator”

S. Wieczorek. 2012. “Best Practice for Highest Performance,”

Zakrani, A., Idri, A., Applying radial basis function neural networks based on fuzzy clustering to estimate web applications effort, (2010) International Review on Computers and Software (IRECOS), 5 (5), pp. 516-524.

Hamtini, T.M., Hudaib, A.A., Measuring e-learning web-based application usability, (2012) International Review on Computers and Software (IRECOS), 7 (1), pp. 67-73.

Priyadharshini, M., Baskaran, R., Balaji, N., Saleem Basha, M.S., Analysis on countering XML-based attacks in web services, (2013) International Review on Computers and Software (IRECOS), 8 (9), pp. 2197-2204.


  • There are currently no refbacks.

Please send any question about this web site to
Copyright © 2005-2020 Praise Worthy Prize