مرکز منطقه ای اطلاع رساني علوم و فناوري - Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications

DocumentCode :

626434

Title :

Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications

Author :

Eshete, Birhanu ; Villafiorita, Adolfo ; Weldemariam, Komminist ; Zulkernine, Mohammad

Author_Institution :

Fondazione Bruno KesslerTrento, Trento, Italy

fYear :

2013

fDate :

18-20 June 2013

Firstpage :

188

Lastpage :

197

Abstract :

Web applications and server environments hosting them rely on configuration settings that influence their security, usability, and performance. Misconfiguration results in severe security vulnerabilities. Recent trends show that misconfiguration is among the top critical risks in web applications. While effective at uncovering numerous classes of vulnerabilities, generic web application vulnerability scanners are limited in identifying configuration vulnerabilities. In this paper, we present an approach that effectively combines hierarchical configuration scanning and preliminary source code analysis of web applications to pinpoint potential configuration vulnerabilities, quantify the degree of severity based on standard metrics, and facilitate fixing of vulnerabilities found therein. We implemented our approach in a tool called Confeagle and evaluated it on 14 widely deployed PHP web applications. Unlike generic web vulnerability scanners, on the subject applications, Confeagle detected potential configuration vulnerabilities that could result in information disclosure, denial-of-service, and session hijacking attacks on the applications.

Keywords :

Internet; security of data; Confeagle tool; PHP web application; Web application vulnerability scanner; Web server environment; configuration setting; configuration vulnerability analysis; denial-of-service attack; hierarchical configuration scanning; information disclosure attack; preliminary source code analysis; security vulnerability; session hijacking attack; Availability; Gold; Measurement; Runtime; Security; Servers; Standards; Common Configuration Scoring System (CCSS); Security Configuration; Vulnerability Analysis; Web Applications;

fLanguage :

English

Publisher :

ieee

Conference_Titel :

Software Security and Reliability (SERE), 2013 IEEE 7th International Conference on

Conference_Location :

Gaithersburg, MD

Print_ISBN :

978-1-4799-0406-8

Type :

conf

DOI :

10.1109/SERE.2013.30

Filename :

6571709

Link To Document :

https://search.ricest.ac.ir/dl/search/defaultta.aspx?DTC=49&DC=626434