Quantitative Assessment on Remote Code Execution Vulnerability in Web Applications

Abstract

With the exponentially increasing use of online tools, applications that are being made for day to day purpose by small and large industries, the threat of exploitation is also increasing. Remote Code Execution (RCE) is a known threat that is considered one of the topmost critical and severe web applications vulnerability and one of the major concerns among cyber threats, which can exploit web servers through their functionalities and using their scripts/files. RCE is an application layer vulnerability caused by careless coding practice which leads to a huge security breach that may bring unwanted resource loss or damages. An attacker may run malicious code to take control of the besieged system with the privileges of avalidclient with this vulnerability. Then the attackers attempt to advance their privileges after gaining access to the system. Remote Code Execution can lead to a full compromise of the vulnerable web application as well as the web server. This chapter highlights the concern and risk needed to put under consideration caused by RCE vulnerability of a system. Moreover, this study and its findings will help application developers and its stakeholders to understand the risk of data compromise and unauthorized access to the system. Around 1011 web applications were taken under consideration and experiment was done by following manual double blinded penetration testing strategy. The experiments show that more than 12% of web application were found vulnerable to RCE. This study also explicitly listed the critical factors of Remote Code Execution vulnerability and improper input handling. The experimental results are promising to motivate developers to focus on security enhancement through proper and safe input handling.