An Architecture for Misconfiguration Patching of Web Services: A Case Study of Apache Server
Services are usually left configured by default and therefore subjects to vulnerabilities because they are not security enforced. Web services are so popular that they are targets of attacks to intrusions related to vulnerabilities discovered by attackers. This work proposes an architecture for patching Web service misconfigurations related to existing vulnerabilities. The approach underlying this architecture first retrieves and structures anti-vulnerability measures published by the official service manufacturers. Second, it evaluates the risk level using Common Vulnerability Scoring System (CVSS) on the current state of configurations. The proposed approach has been applied on Apache server on four vulnerabilities: version discovery, XSS, SQL injection and deny of service. Experimental results on a vulnerable environment demonstrate that the proposed approach considerably reduces vulnerabilities compared to similar solutions.
R. Newmana, V. Chang, J. W. Walters, G. B. Wills. “Web 2.0—The past and the future”. International Journal of Information Management, 36, pp. 591–598, 2016.
G. Harry. Principales failles de sécurité des applications Web : principes, parades et bonnes pratiques de développement. CNRS, 2012
G. V. Marconato. “Evaluation quantitative de la sécurité informatique : approche par les vulnérabilités”. Ph.D thesis, INSA, 2009
B. Eshete, A. Villafiorita, K. Weldemariam. “Early Detection of Security Misconﬁguration Vulnerabilities in Web Applications,” in Proc. Int. on Availability, Reliability and Security, 2011, pp. 169-174.
‘Nikto2’, https://cirt.net/Nikto2, accessed 05 January 2018
M. van Steen, A. S. Tanenbaum: Distributed Systems: Principles and Paradigms. CreateSpace Independent Publishing Platform, 3rd edn, 2017
A. Avizienis, J-C. Laprie, B. Randell, C. Landwehr. “Basic Concepts and Taxonomy of Dependable and Secure Computing”. IEEE Transactions on Dependable and Secure Computing, 1(1), pp. 11-34, 2004.
A. Adelsbach, D. Alessandri, C. Cachin. “Conceptual Model and Architecture of MAFTIA”. University of Newcastle upon Tyne, pp 30-31, 2003.
Vaadata. “Comprendre les vulnérabilités web en 5 min – episode #1 : Injections!”. Internet: https://www.vaadata.com/blog/fr/comprendre-les-vulnerabilites-Web, March. 21, 2014 [Jul. 29, 2019].
OWASP. “Top 10-2017 Top 10”. Internet: https://www.owasp.org/index.php/Top_10-2017_Top_10, March, 27, 2018 [Jul. 29, 2019].
A. Viardin. “Un petit guide pour la sécurité”. Internet : https://www.inetdoc.net/guides/tutoriel-secu/, 2003, [Jul. 29, 2019].
OpenVAS. “The world's most advanced Open Source vulnerability scanner and manager”. Internet: http://www.openvas.org/, [Jul. 29, 2019].
Nmap. “Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap”. Internet: https://nmap.org/book/install.html, [Jul. 29, 2019].
P. Chambet. “La gestion des correctifs de sécurité dans un parc Windows : des solutions techniques à la mise en œuvre pratique en entreprise”. Internet : http://www.chambet.com/publications/Correctifs_securite.pdf , [Jul. 29, 2019].
A. Taylor. “Guide détaillé pour Microsoft Windows Server Update Services 3.0 SP2”. Internet : http://www.labreux.fr/tssi/ms/10%20-%20WSUS30SP2StepbyStep.pdf , [Jul. 29, 2019].
S. Murugiah, S. Karen. Guide to Enterprise Patch Management Technologies. National Institute of Standards and Technology (NIST), 2013
A. Zammouri, A. A. Moussa. “SafeBrowse: a New Tool for Strengthening and Monitoring the Security Conﬁguration of Web Browsers’. in Proc. Int. Conf. Information Technology for Organizations Development (IT4OD), Fez, Morocco, May 2016, pp. 1-5.
OWASP. “Category:Vulnerability Scanning Tools”. Internet:
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools, Apr. 26, 2018 [Jul. 29, 2019].
Netcraft. “February 2018 Web Server Survey”, Internet: https://news.netcraft.com/archives/2018/02/13/february-2018-web-server-survey.html, Feb. 13, 2018 [Jul. 29, 2019].
Tchafros. “Misconfiguration Patching of Web Services”. Internet: https://github.com/tchafros/PatchConf, Jun. 12, 2018 [Jul. 29, 2019].
Apache. “Apache HTTP Server Project”.Internet: https://httpd.apache.org/security/vulnerabilities_24.html, [Jul. 29, 2019].
Nmap. “Chapter 12. Zenmap GUI Users’ Guide”. Internet : https://nmap.org/book/zenmap.html, [Jul. 29, 2019].
SpiderLabs. “Modsecurity rules”. Internet: https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0/master/rules, Dec. 25, 2017 [Jul. 29, 2019].
Copyright (c) 2019 International Journal of Computer (IJC)
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors who submit papers with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
- By submitting the processing fee, it is understood that the author has agreed to our terms and conditions which may change from time to time without any notice.
- It should be clear for authors that the Editor In Chief is responsible for the final decision about the submitted papers; have the right to accept\reject any paper. The Editor In Chief will choose any option from the following to review the submitted papers:A. send the paper to two reviewers, if the results were negative by one reviewer and positive by the other one; then the editor may send the paper for third reviewer or he take immediately the final decision by accepting\rejecting the paper. The Editor In Chief will ask the selected reviewers to present the results within 7 working days, if they were unable to complete the review within the agreed period then the editor have the right to resend the papers for new reviewers using the same procedure. If the Editor In Chief was not able to find suitable reviewers for certain papers then he have the right to reject the paper.
- Author will take the responsibility what so ever if any copyright infringement or any other violation of any law is done by publishing the research work by the author
- Before publishing, author must check whether this journal is accepted by his employer, or any authority he intends to submit his research work. we will not be responsible in this matter.
- If at any time, due to any legal reason, if the journal stops accepting manuscripts or could not publish already accepted manuscripts, we will have the right to cancel all or any one of the manuscripts without any compensation or returning back any kind of processing cost.
- The cost covered in the publication fees is only for online publication of a single manuscript.