Early Detection of Security Misconfiguration Vulnerabilities in Web Applications

This paper presents a web-based tool to supplement defense against security misconfiguration vulnerabilities in web applications. The tool automatically audits security configuration settings of server environments in web application development and deployment. It also offers features to automatically adjust security configuration settings and quantitatively rates level of safety for server environments before deploying web applications. Using the tool, we were able to evaluate eleven server packages for Apache, PHP and MySQL across three operating system platforms. Our evaluation revealed that the tool is able to audit current security configuration settings and alert users to fix the server environment to achieve the level of safety of security configuration with respect to recommended configurations for real-life web application deployment.

[1]  Arun Kumar,et al.  The spoken web application framework: user generated content and service creation through low-end mobiles , 2010, W4A.

[2]  Marco Vieira,et al.  Assessing and Comparing Security of Web Servers , 2008, 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing.

[3]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[4]  Chi-Sung Laih,et al.  A Study and Implementation of Vulnerability Assessment and Misconfiguration Detection , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[5]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[6]  Porfirio Tramontana,et al.  Research Directions in Web Site Evolution II: Web Application Security , 2007, 2007 9th IEEE International Workshop on Web Site Evolution.

[7]  Frédéric Raynal,et al.  New threats and attacks on the World Wide Web , 2006, IEEE Security & Privacy.

[8]  Mattia Monga,et al.  A hybrid analysis framework for detecting web application vulnerabilities , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[9]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[10]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[11]  Huan Liu,et al.  A new form of DOS attack in a cloud and its avoidance mechanism , 2010, CCSW '10.

[12]  Mark Curphey,et al.  Web application security assessment tools , 2006, IEEE Security & Privacy.

[13]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[14]  Andreas A. Veglis PHP and SQL made simple , 2005, IEEE Distributed Systems Online.

[15]  Mehdi Jazayeri,et al.  Some Trends in Web Application Development , 2007, Future of Software Engineering (FOSE '07).

[16]  D. T. Lee,et al.  A testing framework for Web application security assessment , 2005, Comput. Networks.