Abstract
In the era of technology, attack on computer infrastructure is considered as the most severe threat. Web server is one of the most important components of this infrastructure. Preventive measures must be taken to deal with these attacks on the web servers. For this reason, vulnerability detection needs to be carried out in an effective way and should be mitigated as soon as possible. In this paper, an effective framework for vulnerability detection of web application is proposed. This framework targets the web applications developed with content management systems (CMSs). It obtains prior knowledge of the vulnerable extensions of a specific CMS from its contributors. The framework is run against a target web server using a well-known port scanning tool, Nmap. It checks if there is any existing matches for the vulnerable extension installed in that web application. Finally, the framework gives an output comprised of the installed extensions along with the installed vulnerable extensions in that web application. Although the output result is shown in the Nmap console, the framework is a segregated entity that works in collaboration with Nmap. Thus this framework can be well-utilized by the security specialists to assess the security of a web application in an easier and effective way and also to evaluate vulnerability of web servers; hence shielding the web applications from various kinds of security threats.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Security auditor’s research assistant. http://www-arc.com/sara/. Accessed 29 Nov 2019
Saint cybersecurity solution. http://www.saintcorporation.com/. Accessed 29 Nov 2017
VLAD the scanner. http://www.decuslib.com/decus/vmslt00b/net/vlad_readme.html. Accessed 29 Nov 2017
Nessus vulnerability scanner. https://www.tenable.com/products/nessus-vulnerability-scanner. Accessed 29 Nov 2017
Lyon, G.F.: NMAP network scanning: the official NMAP project guide to network discovery and security scanning. Insecure (2009)
NSE-NMAP scripting engine. https://nmap.org/book/nse.html. Accessed 29 Nov 2017
Market share: top website platforms and example sites. https://websitesetup.org/popular-cms/. Accessed 29 Nov 2017
Kaluža, M., Vukelić, B., Rojko, T.: Content management system security. Zbornik Veleučilišta u Rijeci 4(1), 29–44 (2016)
Cernica, I.C., Popescu, N., Tiganoaia, B.: Security evaluation of WordPress backup plugins, pp. 312–316, May 2019. https://doi.org/10.1109/CSCS.2019.00056
Martinez-Caro, J.M., Aledo-Hernández, A.J., Guillen-Perez, A., Sanchez-Iborra, R., Cano, M.D.: A comparative study of web content management systems. Information 9, 27 (2018). https://doi.org/10.3390/info9020027
Website hacked trend report 2018. https://sucuri.net/reports/19-sucuri-2018-hacked-report.pdf. Accessed 24 Jan 2020
Meike, M., Sametinger, J., Wiesauer, A.: Security in open source web content management systems. IEEE Secur. Privacy 7(4), 44–51 (2009)
Yu, W.D., Aravind, D., Supthaweesuk, P.: Software vulnerability analysis for web services software systems. In: 2006 Proceedings of the 11th IEEE Symposium on Computers and Communications (ISCC 2006), pp. 740–748. IEEE (2006)
Scott, D., Sharp, R.: Developing secure web applications. IEEE Internet Comput. 6(6), 38–45 (2002)
Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: a web vulnerability scanner. In: Proceedings of the 15th International Conference on World Wide Web, pp. 247–256. ACM (2006)
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: ACM SIGPLAN Notices, vol. 42, pp. 32–41. ACM (2007)
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM (2004)
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, pp. 6-pp. IEEE (2006)
Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting SQL injection vulnerabilities. In: 31st Annual International Computer Software and Applications Conference (COMPSAC 2007), vol. 1, pp. 87–96. IEEE (2007)
Rosa, L., de Freitas, M.B., Mazo, S., Monteiro, E., Cruz, T., Simoes, P.: A comprehensive security analysis of a scada protocol: from OSINT to mitigation. IEEE Access 7, 42156–42168 (2019). https://doi.org/10.1109/ACCESS.2019.2906926
Basam, D., Ransbottom, J., Marchany, R., Tront, J.: Strengthening MT6D defenses with LXC-based honeypot capabilities. J. Electr. Comput. Eng. 2016, 1–13 (2016). https://doi.org/10.1155/2016/5212314
Rahalkar, S.: Introduction to NMAP. In: Rahalkar, S. (ed.) Quick Start Guide to Penetration Testing, pp. 20–39. Springer, Berkeley (2019). https://doi.org/10.1007/978-1-4842-4270-4_1
List of data in NSE libraries. https://svn.nmap.org/nmap/nselib/data/. Accessed 04 Sept 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Asaduzzaman, M., Rawshan, P.P., Liya, N.N., Islam, M.N., Dutta, N.K. (2020). A Vulnerability Detection Framework for CMS Using Port Scanning Technique. In: Bhuiyan, T., Rahman, M.M., Ali, M.A. (eds) Cyber Security and Computer Science. ICONCS 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 325. Springer, Cham. https://doi.org/10.1007/978-3-030-52856-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-52856-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-52855-3
Online ISBN: 978-3-030-52856-0
eBook Packages: Computer ScienceComputer Science (R0)