Security Analysis of Bioinformatics WEB Application
Bioinformatics is a subject that focuses on developing methods and software tools, especially web applications, to analyze, understand and utilize biological data. This scientific field attracts large research interest and has been developed rapidly in most aspects but not on security. The lack of security awareness of researchers and insufficient maintenance are the main reasons for security vulnerabilities of bioinformatics web application, such as SQL injection, XSS and file leakage, etc. In the paper, we perform security analysis for website URLs extracted from PubMed abstracts, which contains more than 20,000 URLs. The analysis includes server version CVE matching, HTTPS security evaluation, git leakage detection, and small-scale manual penetration testing. The result shows that the most commonly used server version is outdated and vulnerable. Particularly, only one-fourth HTTPS domains are secure based on our testing, which only count for 7.6% in the entire testing websites. Discovered vulnerabilities are reported to website manager by email and we receive positive feedbacks.
KeywordsBioinformatics WEB Security Git leakage
We would like to thank the anonymous reviewers for their valuable suggestions for improving this paper. We are also grateful to Yincong Zhou, Dahui Hu and Prof. Ming Chen of The Group of Bioinformatics of Zhejiang University for their work about DaTo and contribution to this work.
This work was partly supported by NSFC under No. 61772466, the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under No. R19F020013, the Provincial Key Research and Development Program of Zhejiang, China under No. 2017C01055, the Fundamental Research Funds for the Central Universities, and the Alibaba-ZJU Joint Research Institute of Frontier Technologies. Technology Project of State Grid Zhejiang Electric Power co. LTD under NO. 5211HZ17000J.
- 1.Bioinformatics Wikipedia. https://en.wikipedia.org/wiki/Bioinformatics. Accessed 12 Oct 2018
- 3.Ranger, S. At $30,000 for a flaw, bug bounties are big and getting bigger – ZDNet. http://www.zdnet.com/article/at-30000-for-a-flaw-bug-bounties-are-big-and-getting-bigger/. Accessed 12 Oct 2018
- 5.About Us – Censys. https://censys.io/about. Accessed 12 Oct 2018
- 6.SSL Server Rating Guide. https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide. Accessed 12 Oct 2018
- 7.Stock, B., Pellegrino, G., Li, F., et al.: Didn’t you hear me? - towards more successful web vulnerability notifications. In: Network and Distributed System Security Symposium (2018)Google Scholar
- 8.CVE-2016-5195 in Ubuntu. https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html. Accessed 12 Oct 2018
- 9.OWASP Wikipedia. https://en.wikipedia.org/wiki/OWASP. Accessed 12 Oct 2018