Advertisement

InECCE2019 pp 633-642 | Cite as

Quantitative Assessment of Remote Code Execution Vulnerability in Web Apps

  • Md Maruf Hassan
  • Umam Mustain
  • Sabira Khatun
  • Mohamad Shaiful Abdul Karim
  • Nazia Nishat
  • Mostafijur RahmanEmail author
Conference paper
  • 26 Downloads
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 632)

Abstract

With the exponentially increasing use of online tools, applications that are being made for day to day purpose by small and large industries, the threat of exploitation is also increasing. Remote Code Execution (RCE) is one of the topmost critical and serious web applications vulnerability of this era and one of the major concerns among cyber threats, which can exploit web servers through their functionalities and using their scripts/files. RCE is an application layer vulnerability caused by careless coding practice which leads to a huge security breach that may bring unwanted resource loss or damages. An attacker may execute malicious code and take complete control of the targeted system with the privileges of an authentic user with this vulnerability. Attackers can attempt to advance their privileges after gaining access to the system. Remote Code Execution can lead to a full compromise of the vulnerable web application as well as the web server. This chapter highlights the concern and risk needed to put under consideration caused by RCE vulnerability of a system. Moreover, this study and its findings will help application developers and its stakeholders to understand the risk of data compromise and unauthorized access to the system. An exploitation algorithm is proposed to identify RCE vulnerability in web application. Then based on it, around 1011 web applications were taken under consideration and experiments were conducted by following manual double blinded penetration testing strategy. The experiments show that more than 12% of web application were found vulnerable to RCE. This study also explicitly listed the critical factors of Remote Code Execution vulnerability and improper input handling. The experimental results are promising to motivate developers to focus on security enhancement through proper and safe input handling.

Keywords

Web application vulnerabilities Remote code execution (RCE) Input validation Data breach 

Notes

Acknowledgements

The authors want to acknowledge and credit the Cyber Security Centre of Daffodil International University for help in conducting this study. Also, want to show gratitude to the authorities of the organizations who have given permission to examine their web applications.

This research work is supported by Fundamental Research Grant Scheme (FRGS), RDU190140 funded by Ministry of Higher Education (MOHE). The authors would also like to thank the Faculty of Electrical & Electronics Engineering, Universiti Malaysia Pahang (https://www.ump.edu.my/) for financial support.

References

  1. 1.
    Top 10-2017 Top 10. In: OWASP. https://www.owasp.org/index.php/Top_10_2017-Top_10. Accessed 15 June 2020
  2. 2.
    Mahmoud QH, Kauling D, Zanin S (2017) Hidden android permissions: remote code execution and shell access using a live wallpaper. 2017 14th IEEE annual Consumer Communications & Networking Conference (CCNC). https://doi.org/10.1109/ccnc.2017.7983184
  3. 3.
    Mohammad S, Pourdavar S (2010) Penetration test: A case study on remote command execution security hole. 2010 Fifth International Conference on Digital Information Management (ICDIM). https://doi.org/10.1109/icdim.2010.5664671
  4. 4.
    Zhang L, Zhang H, Zhang X, Chen L (2007) A new mechanism for trusted code remote execution. 2007 International Conference on Computational Intelligence and Security Workshops (CISW 2007). https://doi.org/10.1109/cisw.2007.4425561
  5. 5.
    Farah T, Alam D, Kabir MA, Bhuiyan T (2015) SQLi penetration testing of financial Web applications: investigation of Bangladesh region. 2015 World Congress on Internet Security (WorldCIS). https://doi.org/10.1109/worldcis.2015.7359432
  6. 6.
    Shrivastava A, Choudhary S, Kumar A (2016) XSS vulnerability assessment and prevention in web application. 2016 2nd International Conference on Next Generation Computing Technologies (NGCT). https://doi.org/10.1109/ngct.2016.7877529
  7. 7.
  8. 8.
    Hassan MM, Bhuyian T, Sohel MK, Sharif MH, Biswas S (2018) SAISAN: an automated local file inclusion vulnerability detection model. Int J Eng Technol 7:4Google Scholar
  9. 9.
    Huluka D, Popov O (2012) Root cause analysis of session management and broken authentication vulnerabilities. World congress on internet security (WorldCIS-2012), Guelph, ON, pp 82–86Google Scholar
  10. 10.
    Al-Khurafi OB, Al-Ahmad MA (2015) Survey of web application vulnerability attacks. 2015 4th International Conference on Advanced Computer Science Applications and Technologies (ACSAT). https://doi.org/10.1109/acsat.2015.46
  11. 11.
    Gupta K, Singh RR, Dixit M (2017) Cross site scripting (XSS) attack detection using intrustion detection system. 2017 International Conference on Intelligent Computing and Control Systems (ICICCS). https://doi.org/10.1109/iccons.2017.8250709
  12. 12.
    Zheng Y, Zhang X (2013) Path sensitive static analysis of web applications for remote code execution vulnerability detection. 2013 35th International Conference on Software Engineering (ICSE). https://doi.org/10.1109/icse.2013.6606611
  13. 13.
    Gupta BB, Arachchilage NAG, Psannis KE (2017) Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommun Syst 67:247–267Google Scholar
  14. 14.
    Sommestad T, Holm H, Ekstedt M (2012) Estimates of success rates of remote arbitrary code execution attacks. Inf Manage Comput Secur 20:107–122Google Scholar
  15. 15.
    Alam D, Bhuiyan T, Kabir MA, Farah T (2015) SQLi vulnerabilty in education sector websites of Bangladesh. 2015 second International Conference on information security and cyber forensics (InfoSec). https://doi.org/10.1109/infosec.2015.7435521
  16. 16.
    Hassan MM, Nipa SS, Akter M, Haque R, Deepa FN, Rahman MM, Siddiqui M, Sharif MH (2018) Broken authentication and session management vulnerability: a case study of web application. Int J Simul: Syst Sci Technol. https://doi.org/10.5013/ijssst.a.19.02.06
  17. 17.
    Wu J, Arrott A, Osorio FCC (2014) Protection against remote code execution exploits of popular applications in Windows. 2014 9th International Conference on Malicious and Unwanted Software: the Americas (MALWARE). https://doi.org/10.1109/malware.2014.6999416
  18. 18.
    Ahn G-J, Hu H, Lee J, Meng Y (2010) Representing and Reasoning about Web Access Control Policies. 2010 IEEE 34th Annual Computer Software and Applications Conference. https://doi.org/10.1109/compsac.2010.20
  19. 19.
    Krejcie RV, Morgan DW (1970) Determining sample size for research activities. Educa Psychol Meas 30:607–610Google Scholar
  20. 20.
    Stefinko Y, Piskozub A, Banakh R (2016) Manual and automated penetration testing. Benefits and drawbacks. Modern tendency. 2016 13th International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science (TCSET). https://doi.org/10.1109/tcset.2016.7452095
  21. 21.
    Liu H, Li Z (2008) Methodology of Network Intrusion Detection System Penetration Testing. 2008 The Ninth International Conference on Web-Age Information Management. https://doi.org/10.1109/waim.2008.69

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Md Maruf Hassan
    • 1
  • Umam Mustain
    • 1
  • Sabira Khatun
    • 2
  • Mohamad Shaiful Abdul Karim
    • 2
  • Nazia Nishat
    • 1
  • Mostafijur Rahman
    • 1
    Email author
  1. 1.Department of Software EngineeringDaffodil International UniversityDhakaBangladesh
  2. 2.Faculty of Electrical and Electronics EngineeringUniversiti Malaysia PahangGambangMalaysia

Personalised recommendations