Design and Develop Misconfiguration Vulnerabilities Scanner for Web Applications
(*) Corresponding author
DOI: https://doi.org/10.15866/irecos.v9i10.3840
Abstract
Misconfiguration is one of the most critical Web vulnerabilities, still it does not receive enough attention. Applying general security practices and general remediation proved inefficiency in dealing with this type of vulnerabilities. In this research, we discuss and highlight several issues in order to enhance misconfiguration detection, quantifying and fixing. Our approach detects misconfiguration based on extended set of security-related configurations, then quantify the vulnerabilities according to the environment characteristics, using the most recent scoring standard in this field and recommend customized secure remediation. We implemented our approach in a tool called MVS, and we were able to evaluate seven Apache-MySQL-PHP packages, ten open source Web applications and seven online websites. Our experiments revealed that the tool is able to detect misconfigurations at both the environment level and the application level, then recommend customized and secure remediation.
Copyright © 2014 Praise Worthy Prize - All rights reserved.
Keywords
Full Text:
PDFReferences
World Wide Web Size, “The size of the World Wide Web,” http://www.worldwideWebsize.com
http://dx.doi.org/10.1007/11280.1573-1413
WhiteHat. 2013. “Website Security Statistics Report,”.
J. Tudor. 2013. “Web Application Vulnerability Statistics 2013,” Context.
S. Zhang and M.D. Ernst. 2013. “Automated Diagnosis of Software Configuration Errors,” in ICSE.IEEE.
http://dx.doi.org/10.1109/icse.2013.6606577
D. Subramanian, H.T. Le, P.K.K. Loh and A.B. Premkumar. 2010. “Quantitative Evaluation of Related Web-based Vulnerabilities,” in SSIRI-C.IEEE.
http://dx.doi.org/10.1109/ssiri-c.2010.30
M.M. Casalino, M. Mangili, H. Plate, and S. E. Ponta. 2012. “Detection of Configuration Vulnerabilities in Distributed (Web) Environments,” CoRR, vol. abs/1206.6757.
http://dx.doi.org/10.1007/978-3-642-36883-7_9
B. Eshete, A. Villafiorita, and K. Weldemariam. 2011. “Early Detection of Security Misconfiguration Vulnerabilities in Web Applications,” in ARES. IEEE.
http://dx.doi.org/10.1109/ares.2011.31
B. Eshete, A. Villafiorita, K. Weldemariam, and M. Zulkernine. 2013. “Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications,” in SERE.IEEE.
http://dx.doi.org/10.1109/sere.2013.30
OWASP. 2013. “OWASP Top 10 – 2013”.
http://dx.doi.org/10.1007/978-3-642-16120-9_10
PHP. 2013. “PHP Security Manual,” http://php.net/manual/en/security.php
http://dx.doi.org/10.1007/978-1-4302-0057-4
MySQL. 2013. “MySQL Secure Installation,” http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html
http://dx.doi.org/10.1007/978-1-4302-0048-2_14
MySQL, “Security-Related mysqld Options and Variables” http://dev.mysql.com/doc/refman/5.0/en/security-options.html
Cyberciti. 2013. “Linux: 25 PHP Security Best Practices for Sys Admins,” http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
TechRepublic. 2013. “10 things you should do to secure Apache,” http://www.techrepublic.com/blog/10things/10-things-you-should-do-to-secure-apache/477
Tecmint, “13 Apache Web Server Security and Hardening Tips,” http://www.tecmint.com/apache-security-tips/
OWASP, “PHP Configuration Cheat Sheet” https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
Ch. Kumar. 2013. “10 Best Practices To Secure and Harden Your Apache Web Server,” http://chandank.com/security/10-best-practices-to-secure-and-harden-your-apache-Web-server
OWASP. 2013. “OWASP Configuration Guide,” https://www.owasp.org/index.php/Configuration.
Oracle. 2013. “Web Application Security Configuration Guide,” http://docs.oracle.com/cd/E28595 01/Web App Security Guide.pdf
High-Tech Bridge, “Web Applications Vulnerabilities CVSSv2 Calculator” https://www.htbridge.com/cvss_web_calculator/
NVD, “Common Vulnerability Scoring System Version 2 Calculator” http://nvd.nist.gov/cvss.cfm?calculator&version=2
S. Wieczorek. 2012. “Best Practice for Highest Performance,” http://www.mgt-commerce.com/blog/magento-on-steroids-best-practice-for-highest-performance/
Zakrani, A., Idri, A., Applying radial basis function neural networks based on fuzzy clustering to estimate web applications effort, (2010) International Review on Computers and Software (IRECOS), 5 (5), pp. 516-524.
Hamtini, T.M., Hudaib, A.A., Measuring e-learning web-based application usability, (2012) International Review on Computers and Software (IRECOS), 7 (1), pp. 67-73.
Priyadharshini, M., Baskaran, R., Balaji, N., Saleem Basha, M.S., Analysis on countering XML-based attacks in web services, (2013) International Review on Computers and Software (IRECOS), 8 (9), pp. 2197-2204.
Refbacks
- There are currently no refbacks.
Please send any question about this web site to info@praiseworthyprize.com
Copyright © 2005-2024 Praise Worthy Prize