Vulnerabilities of Government Websites in a Developing Country – the Case of Burkina Faso
Slowly, but consistently, the digital gap between developing and developed countries is being closed. Everyday, there are initiatives towards relying on ICT to simplify the interaction between citizens and their governments in developing countries. E-government is thus becoming a reality: in Burkina Faso, all government bodies are taking part in this movement with web portals dedicated to serving the public. Unfortunately, in this rush to promote government actions within this trend of digitization, little regards is given to the security of such web sites. In many cases, government highly critical web sites are simply produced in a product line fashion using Content Management Systems which the webmasters do not quite master.
We discuss in this study our findings on empirically assessing the security of government websites in Burkina Faso. By systematically scanning these websites for simple and well-known vulnerabilities, we were able to discover issues that deserved urgent attention. As an example, we were able to crawl from temporary backup files in a government web site all information (hostname, login and password in clear) to read and write directly in the database and for impersonating the administrator of the website. We also found that around 50 % of the government websites are built on top of platforms suffering from 14 publicly known vulnerabilities, and thus can be readily attacked by any hacker.
Keywordse-government Websites Security Vulnerabilities CMS Developing countries
- 1.Shteiman, B.: How your CMS could be breeding security vulnerabilities (2013). http://www.itproportal.com/2013/10/08/how-your-cms-could-be-breeding-security-vulnerabilities/
- 2.Bissyandé, T.F., Ouoba, J., Ahmat, D., Sawadogo, A.D., Sawadogo, Z.: Bootstrapping software engineering training in developing countries. In: Nungu, A., Pehrson, B., Sansa-Otim, J. (eds.) AFRICOMM 2014. LNICSSITE, vol. 147, pp. 261–268. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-16886-9_27 Google Scholar
- 4.Bissyandé, T.F., Réveillère, L., Lawall, J.L., Muller, G.: Diagnosys: automatic generation of a debugging interface to the linux kernel. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineerinh, ASE 2012 (2012)Google Scholar
- 5.Bissyandé, T.F., Réveillère, L., Lawall, J.L., Muller, G.: Ahead of time static analysis for automatic generation of debugging interfaces to the linux kernel. Autom. Softw. Eng. 23, 1–39 (2014)Google Scholar
- 6.Bissyandé, T.F., Thung, F., Lo, D., Jiang, L., Réveillere, L.: Popularity, interoperability, and impact of programming languages in 100,000 open source projects. In: Proceedings of the 37th Annual International Computer Software & Applications Conference, COMPSAC 2013, pp. 1–10 (2013)Google Scholar
- 9.Wang, J.A., Zhang, F., Xia, M.: Temporal metrics for software vulnerabilities. In: Proceedings of the 4th Annual Workshop on Cyber Security, Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead, CSIIRW 2008, pp. 44:1–44:3. ACM, New York (2008). Observation of strains. Infect Dis Ther. 3(1), 35–43 (2011)Google Scholar
- 12.Ciampa, A., Visaggio, C.A., Di Penta, M.: A heuristic-based approach for detecting sql-injection vulnerabilities in web applications. In: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS 2010, pp. 43–49. ACM, New York (2010)Google Scholar