Vulnerabilities Assessment of Financial and Government Websites: A Developing Country Perspective

Full Text (PDF, 751KB), PP.42-53

Views: 0 Downloads: 0

Author(s)

Md. Asif Khan Rifat 1 Yeasmin Sultana 1 B M Mainul Hossain 1,*

1. Institute of Information Technology, University of Dhaka, Dhaka 1000, Bangladesh

* Corresponding author.

DOI: https://doi.org/10.5815/ijieeb.2023.05.05

Received: 8 Jul. 2023 / Revised: 2 Aug. 2023 / Accepted: 20 Sep. 2023 / Published: 8 Oct. 2023

Index Terms

Web Security Vulnerabilities, CSRF, XSS, SQL Injection, CSP Header, OWASP Zap, Mitigation Techniques

Abstract

The growing number of web applications in a developing country like Bangladesh has led to an increase in cybercrime activities. This study focuses on measuring the vulnerabilities present in financial and government websites of Bangladesh to address the rising security concerns. We reviewed related works on web application vulnerability scanners, comparative studies on web application security parameters, surveys on web application penetration testing methodologies and tools, and security analyses of government and financial websites in Bangladesh. Existing studies in the context of developing countries have provided limited insight into web application vulnerabilities and their solutions. These studies have focused on specific vulnerabilities, lacked comprehensive evaluations of security parameters, and offered a limited comparative analysis of vulnerability scanners. Our study aims to address these gaps by conducting an in-depth analysis using the OWASP ZAP tool to scan and analyze risk alerts, including risk levels such as high, medium, low, and informational. Our investigation unveiled eight key vulnerabilities, including Hash Disclosure, SQL injection (SQLi), Cross-Site Request Forgery (CSRF), missing Content Security Policy (CSP) headers, Cross-Domain JavaScript File Inclusion, absence of X-Content-Type-Options headers, Cache-related concerns, and potential Cross-Site Scripting (XSS), which can lead to revealing hidden information, enabling malicious code, and failing to protect against specific types of attacks. In essence, this study does not only reveal major security weaknesses but also provides guidance on how to mitigate them, thereby playing a vital role in promoting enhanced cybersecurity practices within the nation.

Cite This Paper

Md. Asif Khan Rifat, Yeasmin Sultana, B M Mainul Hossain, "Vulnerabilities Assessment of Financial and Government Websites: A Developing Country Perspective", International Journal of Information Engineering and Electronic Business(IJIEEB), Vol.15, No.5, pp. 42-53, 2023. DOI:10.5815/ijieeb.2023.05.05

Reference

[1]N. James, “Cybersecurity Statistics 2023: Cyber Attacks Per Year & Industry Stats,” www.getastra.com, Dec. 19, 2022. https://www.getastra.com/blog/security-audit/cyber-security-statistics/ (accessed Jul. 03, 2023).
[2]L. Franceschi-Bicchierai, “Bangladesh government website leaks citizens’ personal data,” TechCrunch, Jul. 07, 2023. https://techcrunch.com/2023/07/07/bangladesh-government-website-leaks-citizens-personal-data/ (accessed Aug. 18, 2023).
[3]“25 Bangladeshi govt, private websites breached by Indian hackers,” Dhaka Tribune, Aug. 16, 2023. https://www.dhakatribune.com/bangladesh/322710/25-bangladeshi-govt-private-websites-breached-by (accessed Aug. 18, 2023).
[4]“Cyberattack targeting Bangladesh government websites leaves message demanding quota reform,” bdnews24.com, Apr. 11, 2018. https://bdnews24.com/bangladesh/most-websites-of-bangladesh-government-down (accessed Aug. 18, 2023).
[5]“Myanmar hackers attack Bangladesh govt site,” Dhaka Tribune, Sep. 09, 2017. https://www.dhakatribune.com/bangladesh/125183/myanmar-hackers-attack-bangladesh-govt-site (accessed Jul. 03, 2023).
[6]D. Alam, T. Bhuiyan, A. Kabir, and T. Farah, “SQLi vulnerabilty in education sector websites of Bangladesh,” 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), Nov. 2015, doi: https://doi.org/10.1109/infosec.2015.7435521.
[7]Moniruzzaman, F. Chowdhury, and S. Ferdous, “Measuring Vulnerabilities of Bangladeshi Websites,” 2019 International Conference on Electrical, Computer and Communication Engineering (ECCE), Feb. 2019, doi: https://doi.org/10.1109/ecace.2019.8679426.
[8]S. Alazmi and D. C. De Leon, “A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners,” IEEE Access, vol. 10, pp. 33200–33219, 2022, doi: https://doi.org/10.1109/access.2022.3161522.
[9]J. Shahid, M. K. Hameed, I. T. Javed, K. N. Qureshi, M. Ali, and N. Crespi, “A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions,” Applied Sciences, vol. 12, no. 8, p. 4077, Apr. 2022, doi: https://doi.org/10.3390/app12084077.
[10]E. A. Altulaihan, A. Alismail, and M. Frikha, “A Survey on Web Application Penetration Testing,” Electronics, vol. 12, no. 5, p. 1229, Mar. 2023, doi: https://doi.org/10.3390/electronics12051229.
[11]Md. A. Masum, Md. R. Istiak Sachcha, and A. Nayem, “Security Analysis of Government & Financial Websites of Bangladesh,” International Journal of Education and Management Engineering, vol. 12, no. 2, pp. 21–29, Apr. 2022, doi: https://doi.org/10.5815/ijeme.2022.02.03.
[12]“Top Bangladeshi government websites in 2023,” Similarweb, Jul. 2023. https://www.similarweb.com/website/bangladesh.gov.bd (accessed Jul. 05, 2023).
[13]“Most Visited Investment Websites in Bangladesh 2023,” Semrush, Jul. 2023. https://www.semrush.com/trending-websites/bd/investment (accessed Jul. 05, 2023).
[14]“Identify technologies on websites,” Wappalyzer. https://www.wappalyzer.com/ (accessed Jul. 05, 2023).
[15]“wafw00f | Kali Linux Tools,” Kali Linux. https://www.kali.org/tools/wafw00f/ (accessed Jul. 05, 2023).
[16]“sublist3r | Kali Linux Tools,” Kali Linux. https://www.kali.org/tools/sublist3r/ (accessed Jul. 05, 2023).
[17]“OWASP ZAP,” Zaproxy. https://www.zaproxy.org/ (accessed Jul. 05, 2023).
[18]J. Williams, “OWASP Risk Rating Methodology,” owasp.org. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology (accessed Aug. 18, 2023).
[19]“ZAP – Hash Disclosure,” www.zaproxy.org. https://www.zaproxy.org/docs/alerts/10097 (accessed Aug. 18, 2023).
[20]“SQL Injection Prevention Cheat Sheet,” Owasp.org, 2021. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html (accessed Jul. 05, 2023).
[21]“Content Security Policy (CSP) Header Not Set,” ScanRepeat. https://scanrepeat.com/web-security-knowledge-base/content-security-policy-csp-header-not-set (accessed Jul. 05, 2023).
[22]“OWASP ZAP – Cross-Domain JavaScript Source File Inclusion,” www.zaproxy.org. https://www.zaproxy.org/docs/alerts/10017/ (accessed Jul. 05, 2023).
[23]“OWASP ZAP – X-Content-Type-Options Header Missing,” www.zaproxy.org. https://www.zaproxy.org/docs/alerts/10021/ (accessed Jul. 05, 2023).
[24]“Retrieved from Cache,” ScanRepeat. https://scanrepeat.com/web-security-knowledge-base/retrieved-from-cache (accessed Jul. 05, 2023).
[25]“User controllable HTML element attribute (potential XSS),” ScanRepeat. https://scanrepeat.com/web-security-knowledge-base/user-controllable-html-element-attribute-potential-xss (accessed Jul. 05, 2023).