IJEME Vol. 12, No. 2, 8 Apr. 2022
Cover page and Table of Contents: PDF (size: 430KB)
Full Text (PDF, 430KB), PP.21-29
Views: 0 Downloads: 0
Website vulnerabilities, Firewalls, Top five vulnerabilities, Mitigation Techniques, Implementing Secure Websites.
The vision 2021 of Bangladesh had to transform into a digital country, where the digital platform was a significant part of it. To make a digital platform, the Bangladesh government announced plans to build web applications in government, non-government, financial, educational and other sectors. By increasing the number of websites, the security risk is growing because of vulnerable coding practices. If those security risks are not fixed, attackers could exploit these vulnerabilities and perform various malpractices like data breaches, injected spam content, spreading viruses, malicious redirects, Denial-of-service, or even website defacements. This paper focuses on vulnerability assessment on Bangladeshi government and financial websites to show the security posture of these sites. This study scanned and analyzed four types of risk alerts High, Medium, Low and Informational using Acunetix and ZAP tools. In addition, the selected top five vulnerabilities are CJ, MC, CSRF, ID and XSS in terms of single vulnerability-type detected for targeted websites. The report has described representing the security condition of Bangladesh official websites. Also, it provided mitigation techniques for these vulnerabilities to avoid security risk, which is less discussed in this country.
Md. Asaduzzaman Masum, Md. Rishad Istiak Sachcha, Abu Nayem, " Security Analysis of Government & Financial Websites of Bangladesh", International Journal of Education and Management Engineering (IJEME), Vol.12, No.2, pp. 21-29, 2022. DOI: 10.5815/ijeme.2022.02.03
[1]Alam D, Bhuiyan T, Kabir MA, Farah T. SQLi vulnerabilty in education sector websites of Bangladesh. In2015 Second International Conference on Information Security and Cyber Forensics (InfoSec) 2015 Nov 15 (pp. 152-157). IEEE.
[2]Alam D, Kabir MA, Bhuiyan T, Farah T. A case study of sql injection vulnerabilities assessment of. bd domain web applications. In2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec) 2015 Oct 29 (pp. 73-77). IEEE.
[3]Farah T, Alam D, Kabir MA, Bhuiyan T. SQLi penetration testing of financial Web applications: Investigation of Bangladesh region. In2015 World Congress on Internet Security (WorldCIS) 2015 Oct 19 (pp. 146-151). IEEE.
[4]Farah T, Shojol M, Hassan M, Alam D. Assessment of vulnerabilities of web applications of Bangladesh: A case study of XSS & CSRF. In2016 sixth international conference on digital information and communication technology and its applications (DICTAP) 2016 Jul 21 (pp. 74-78). IEEE.
[5]Moniruzzaman M, Chowdhury F, Ferdous MS. Measuring vulnerabilities of bangladeshi websites. In2019 International Conference on Electrical, Computer and Communication Engineering (ECCE) 2019 Feb 7 (pp. 1-7). IEEE.
[6]Rahman MA, Amjad M, Ahmed B, Siddik MS. Analyzing web application vulnerabilities: an empirical study on e-commerce sector in Bangladesh. InProceedings of the international conference on computing advancements 2020 Jan 10 (pp. 1-6).
[7]Hossain M, Hassan R, Amjad M, Rahman M. Web Performance Analysis: An Empirical Analysis of E-Commerce Sites in Bangladesh. International Journal of Information Engineering & Electronic Business. 2021 Aug 1;13(4).
[8]“U.N. Official Warns Cybercrime Up 600% During COVID-19 Pandemic”. Available: https://www.newsy.com/stories/u-n-warns-cybercrime-up-600-during-covid-19-pandemic/ [Accessed: June 2020]
[9]Lizonczyk P. CERN Web Application Detection. Refactoring and release as open-source software. 2015 Aug 28.
[10]Ted Holland, “Understanding IPS and IDS: Using IPS and IDS together for Defense in Depth”. Available https://www.sans.org/reading-room/whitepapers/detection/understanding-ips-ids-ips-ids-defense-in-depth-1381 [Accessed: February 2004].
[11]Li Y, Cheng J, Huang C, Chen Z, Niu W. NEDetector: Automatically extracting cybersecurity neologisms from hacker forums. Journal of Information Security and Applications. 2021 May 1;58:102784.
[12]Kals S, Kirda E, Kruegel C, Jovanovic N. Secubat: a web vulnerability scanner. InProceedings of the 15th international conference on World Wide Web 2006 May 23 (pp. 247-256).
[13]Bennetts S. Owasp zed attack proxy. AppSec USA. 2013.
[14]OWASP, “Top 10 Web Application Security Risks”, Available: https://owasp.org/www-project-top-ten/, [Accessed: April. 10, 2021].
[15]Netsparker, “Netsparker official Website”, Available: https://www.netsparker.com. [Accessed: Feb. 19, 2021].
[16]Portswigger, “Web Security Academy”, Available: https:// portswigger.net/web-security/. [Accessed: Feb 2, 2021].
[17]Baloch R. Ethical hacking and penetration testing guide. CRC Press; 2017 Sep 29.
[18]“Hackers Attack Every 39 Seconds” Available: https://www.securitymagazine.com/articles/87787-hackers-attack-every-39-seconds. [Accessed: Jan 2021]
[19]“The great Bangladesh cyber heist shows the truth is stranger than fiction” Available: https://www.dhakatribune.com/uncategorized/2016/03/12/the-great-bangladesh-cyber-heist-shows-truth-is-stranger-than-fiction [Accessed: Jan 2021]
[20]“Congresswoman wants probe of ‘brazen’ $81M theft from New York Fed” Available: https://nypost.com/2016/03/22/congresswoman-wants-probe-of-brazen-81m-theft-from-new-york-fed/ [Accessed: Feb 2, 2021]
[21]“Kaspersky Security Bulletin 2020. Overall statistics for 2015” Available: https://go.kaspersky.com/rs/802-IJN-240/images/KSB_statistics_2020_en.pdf [Accessed: Feb 2, 2021]
[22]Kumar P, Katti CP. A Parallel-SQLIA Detector for Web Security. International Journal of Information Engineering & Electronic Business. 2016 Mar 1;8(2).
[23]Batarfi OA, Alshiky AM, Almarzuki AA, Farraj NA. Csrfdtool: Automated detection and prevention of a reflected cross-site request forgery. International Journal of Information Engineering and Electronic Business. 2014 Oct 1;6(5):10.