Views: 4 | Downloads: 8
Although large research efforts on web application security have been invested for more than a decade, the security of web applications is still a challenging problem. The main focus of the cybersecurity community has been to make operating systems and communication networks more secure and harder for attackers to penetrate. This also applies to all applications on the Internet. However, there is a big difference among them. The most frequently used web applications and user websites today are developed with the Web Content Management System (WCMS), because it allows user-friendly access, and easy development and operation. WCMSs are present all over the world in many different environments. Malware that can penetrate the WCMS can significantly affect the system itself and can cause a misconfiguration or other serious damage of the service offered. The security and stability of these systems are important for reducing the risks and consequences of attacks or malfunctioning of websites caused by malware or other methods used by intruders.
This thesis presents a newly developed method for identifying vulnerable Internet websites built using WCMS applications. The research study carried out within this thesis was focused on investigating and developing methods to collect metadata about vulnerable web applications across the Internet. The main desired properties pursued in the research were an acceptable speed of collecting vulnerable WCMS data on a large scale and applying an ethical vulnerability search method. The key feature of the developed method is the ability to perform automated, fast, and dynamic vulnerability scans of the websites built with WCMS and the attached plug-ins on a large scale.
This thesis explores the state of WP website security based on identified vulnerabilities on the global scale, with focus on the web space of 30 European countries. The study is based on a study of the web space where the websites are built with WordPress Content Management Systems (WPCMS), which is the most popular WCMS on the Internet. WPCMS websites represent a part of the websites in the whole world web space. The main part of the thesis presents a newly developed methodology for provision of information about the vulnerability of the WPCMS and the attached website plug-ins. The methodology is implemented as a newly developed tool that was used for large-scale scanning of the Internet. The collected data are applied in a system that computes the security score of websites. The collected data are then analysed in relation to several parameters that were identified as impacting the overall level of web space security in the countries studied.
In the first part of the thesis, a background of the studied field of application is given, which provides an overview of the previous research studies and compares the current vulnerability scanning methods. The overview provides a clear understanding about the applicability of the presented methods and their benefits and drawbacks. Based on these findings, the development of the new method is presented together with the main feature applied to enable fast scanning, data gathering and security scoring. Each property of the tool is compared with the existing similar tool properties. Advantages of the tool are presented as well.
The purpose of the study was to show whether websites built with WPCMS differ in the percentage of secure websites in different application sectors. No significant difference in the percentage of insecure websites belonging to different application sectors was found, with the exception of a lower average percentage of insecure websites found in the news sector. Also, the hosting of several websites on the same server does not appear to impact the occurrence of a higher insecurity. The percentage of insecure core versions of websites built with WPCMS in two time periods of large-scale scanning have shown that the percentage of detected insecure websites is lower. However, the presence of plug-ins remained the same and it was found that plug-ins are a positive risk factor for insecurity.
The impact of two parameters on the appearance of the higher level of security are presented by the end of the thesis. A research study within the European web space has shown that the level of the Digital Skills (DS) of the country and, indirectly, the low cost of fixed access to Internet normalized by the country’s Gross National Income (GNI) are correlated with the percentage of web security and consequently the security of websites built with WPCMS is also higher.