Design and Develop Misconfiguration Vulnerabilities Scanner for Web Applications
Misconfiguration is one of the most critical Web vulnerabilities, still it does not receive enough attention. Applying general security practices and general remediation proved inefficiency in dealing with this type of vulnerabilities. In this research, we discuss and highlight several issues in order to enhance misconfiguration detection, quantifying and fixing. Our approach detects misconfiguration based on extended set of security-related configurations, then quantify the vulnerabilities according to the environment characteristics, using the most recent scoring standard in this field and recommend customized secure remediation. We implemented our approach in a tool called MVS, and we were able to evaluate seven Apache-MySQL-PHP packages, ten open source Web applications and seven online websites. Our experiments revealed that the tool is able to detect misconﬁgurations at both the environment level and the application level, then recommend customized and secure remediation.
Copyright © 2014 Praise Worthy Prize - All rights reserved.
World Wide Web Size, “The size of the World Wide Web,” http://www.worldwideWebsize.com
WhiteHat. 2013. “Website Security Statistics Report,”.
J. Tudor. 2013. “Web Application Vulnerability Statistics 2013,” Context.
S. Zhang and M.D. Ernst. 2013. “Automated Diagnosis of Software Configuration Errors,” in ICSE.IEEE.
D. Subramanian, H.T. Le, P.K.K. Loh and A.B. Premkumar. 2010. “Quantitative Evaluation of Related Web-based Vulnerabilities,” in SSIRI-C.IEEE.
M.M. Casalino, M. Mangili, H. Plate, and S. E. Ponta. 2012. “Detection of Conﬁguration Vulnerabilities in Distributed (Web) Environments,” CoRR, vol. abs/1206.6757.
B. Eshete, A. Villaﬁorita, and K. Weldemariam. 2011. “Early Detection of Security Misconﬁguration Vulnerabilities in Web Applications,” in ARES. IEEE.
B. Eshete, A. Villaﬁorita, K. Weldemariam, and M. Zulkernine. 2013. “Confeagle: Automated Analysis of Conﬁguration Vulnerabilities in Web Applications,” in SERE.IEEE.
OWASP. 2013. “OWASP Top 10 – 2013”.
PHP. 2013. “PHP Security Manual,” http://php.net/manual/en/security.php
MySQL. 2013. “MySQL Secure Installation,” http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html
MySQL, “Security-Related mysqld Options and Variables” http://dev.mysql.com/doc/refman/5.0/en/security-options.html
Cyberciti. 2013. “Linux: 25 PHP Security Best Practices for Sys Admins,” http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
TechRepublic. 2013. “10 things you should do to secure Apache,” http://www.techrepublic.com/blog/10things/10-things-you-should-do-to-secure-apache/477
Tecmint, “13 Apache Web Server Security and Hardening Tips,” http://www.tecmint.com/apache-security-tips/
OWASP, “PHP Configuration Cheat Sheet” https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
Ch. Kumar. 2013. “10 Best Practices To Secure and Harden Your Apache Web Server,” http://chandank.com/security/10-best-practices-to-secure-and-harden-your-apache-Web-server
OWASP. 2013. “OWASP Conﬁguration Guide,” https://www.owasp.org/index.php/Conﬁguration.
Oracle. 2013. “Web Application Security Conﬁguration Guide,” http://docs.oracle.com/cd/E28595 01/Web App Security Guide.pdf
High-Tech Bridge, “Web Applications Vulnerabilities CVSSv2 Calculator” https://www.htbridge.com/cvss_web_calculator/
NVD, “Common Vulnerability Scoring System Version 2 Calculator” http://nvd.nist.gov/cvss.cfm?calculator&version=2
S. Wieczorek. 2012. “Best Practice for Highest Performance,” http://www.mgt-commerce.com/blog/magento-on-steroids-best-practice-for-highest-performance/
Zakrani, A., Idri, A., Applying radial basis function neural networks based on fuzzy clustering to estimate web applications effort, (2010) International Review on Computers and Software (IRECOS), 5 (5), pp. 516-524.
Hamtini, T.M., Hudaib, A.A., Measuring e-learning web-based application usability, (2012) International Review on Computers and Software (IRECOS), 7 (1), pp. 67-73.
Priyadharshini, M., Baskaran, R., Balaji, N., Saleem Basha, M.S., Analysis on countering XML-based attacks in web services, (2013) International Review on Computers and Software (IRECOS), 8 (9), pp. 2197-2204.
- There are currently no refbacks.
Please send any question about this web site to email@example.com
Copyright © 2005-2019 Praise Worthy Prize