Vulnerabilities Assessment of Emerging Web-based Services in Developing Countries

Автор: Abdus Satter, B M Mainul Hossain

Журнал: International Journal of Information Engineering and Electronic Business(IJIEEB) @ijieeb

Статья в выпуске: 5 vol.8, 2016 года.

Бесплатный доступ

To cope up with the pace of digitalization all over the world, like developed countries, developing countries are also offering services to its citizens through various online portals, web applications and web sites. Unfortunately, due to the lack of consideration on vulnerability issues during the development phase, many of those web based services are suffering from serious security threats. For these developing countries, vulnerability statistics are required to have insight about the current security status of the provided web services. That statistical data can assist the stakeholders to take appropriate actions against cyberattacks. In this work, we conduct a survey to observe the responses of web based services against four most commonly found web attacks called Man in the Middle, SQL Injection, Cross Site Scripting and Denial of Service. We carry out the survey for 30 websites (applications) of Bangladesh as the country has been focusing on digitalization of government services for the last few years and has already been offering various online services to its citizens. Among the 30 websites of several categories, result shows that approximately 77% sites are vulnerable to Man in the Middle attack whereas 3% are vulnerable to SQL Injection and Cross Site Scripting.

Еще

Man in the Middle, Denial of Service, Cross Site Scripting, Web Vulnerabilities, SQL Injection

Короткий адрес: https://sciup.org/15013473

IDR: 15013473

Список литературы Vulnerabilities Assessment of Emerging Web-based Services in Developing Countries

  • S. Chander and A. Kush, "Web portal analysis of asian region countries," IJIEEB, vol. 4, no. 5, pp. 25–32, Oct. 2012.
  • D. Turner, S. Entwisle, O. Friedrichs, D. Ahmad, D. Hanson, M. Fossi, S. Gordon, P. Szor, E. Chien, D. Cowings et al., "Symantec internet security threat report: trends for July 2004-december 2004," Retrieved July, vol. 30, p. 2005, 2005.
  • R. Johari and P. Sharma, "A survey on web application vulnerabilities (sqlia, xss) exploitation and security engine for sql injection," in Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012, pp. 453–458.
  • R. Halder and A. Cortesi, "Obfuscation-based analysis of sql injection attacks," in Computers and Communications (ISCC), 2010 IEEE Symposium on, June 2010, pp. 931–938.
  • C. Sharma and S. C. Jain, "Analysis and classification of sql injection vulnerabilities and attacks on web applications," in Advances in Engineering and Technology Research (ICAETR), 2014 International Conference on, Aug 2014, pp. 1–6.
  • M. K. Gupta, M. C. Govil, and G. Singh, "Predicting cross-site scripting (xss) security vulnerabilities in web applications," in Computer Science and Software Engineering (JCSSE), 2015 12th International Joint Conference on, July 2015, pp. 162–167.
  • T. S. Rocha and E. Souto, "Etssdetector: A tool to automatically detect cross-site scripting vulnerabilities," in Network Computing and Applications (NCA), 2014 IEEE 13th International Symposium on, Aug 2014, pp. 306–309.
  • M. K. Gupta, M. C. Govil, G. Singh, and P. Sharma, "Xssdm: Towards detection and mitigation of cross-site scripting vulnerabilities in web applications," in Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on, Aug 2015, pp. 2010–2015
  • V. Kumar, S. Chakraborty, F. A. Barbhuiya, and S. Nandi, "Detection of stealth man-in-the-middle attack in wireless lan," in Parallel Distributed and Grid Computing (PDGC), 2012 2nd IEEE International Conference on, Dec 2012, pp. 290–295.
  • V. A. Vallivaara, M. Sailio, and K. Halunen, "Detecting man-in-the-middle attacks on non-mobile systems," in Proceedings of the 4th ACM Conf. on Data and Application Security and Privacy, ser. CODASPY '14. New York, NY, USA: ACM, 2014, pp. 131–134. Available: http://doi.acm.org/10.1145/2557547.2557579
  • K. K. More and P. B. Gosavi, "A survey on effective way of detecting denial-of-service attack using multivariate correlation analysis," in 2015 International Conference on Applied and Theoretical Computing and Communication Technology (iCATccT), Oct 2015, pp. 246–250.
  • Q. Zhu, Z. Yizhi, and X. Chuiyi, "Research and survey of low-rate denial of service attacks," in Advanced Communication Technology (ICACT), 2011 13th International Conference on, Feb 2011, pp. 1195–1198.
  • R. K. P. Arun and S. Selvakumar, "Distributed denial-of-service (ddos) threat in collaborative environment - a survey on ddos attack tools and trace back mechanisms," in Advance Computing Conference, 2009. IACC 2009. IEEE International, March 2009, pp. 1275–1280.
  • O. A. Batarfi, A. M. Alshiky, A. A. Almarzuki, and N. A. Farraj, "Csrfdtool: Automated detection and prevention of a reflected cross-site request forgery," IJIEEB, vol. 6, no. 5, pp. 10–15, Oct. 2014.
  • M. Grechanik, B. M. M. Hossain, U. Buy, and H. Wang, "Preventing database deadlocks in applications," in Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ser. ESEC/FSE. New York, USA: ACM, 2013, pp. 356–366. [Online]. Available: http://doi.acm.org/10.1145/2491411.2491412
Еще
Статья научная