Quantitative Assessment of Remote Code Execution Vulnerability in Web Apps

Abstract

With the exponentially increasing use of online tools, applications that are being made for day to day purpose by small and large industries, the threat of exploitation is also increasing. Remote Code Execution (RCE) is one of the topmost critical and serious web applications vulnerability of this era and one of the major concerns among cyber threats, which can exploit web servers through their functionalities and using their scripts/files. RCE is an application layer vulnerability caused by careless coding practice which leads to a huge security breach that may bring unwanted resource loss or damages. An attacker may execute malicious code and take complete control of the targeted system with the privileges of an authentic user with this vulnerability. Attackers can attempt to advance their privileges after gaining access to the system. Remote Code Execution can lead to a full compromise of the vulnerable web application as well as the web server. This chapter highlights the concern and risk needed to put under consideration caused by RCE vulnerability of a system. Moreover, this study and its findings will help application developers and its stakeholders to understand the risk of data compromise and unauthorized access to the system. An exploitation algorithm is proposed to identify RCE vulnerability in web application. Then based on it, around 1011 web applications were taken under consideration and experiments were conducted by following manual double blinded penetration testing strategy. The experiments show that more than 12% of web application were found vulnerable to RCE. This study also explicitly listed the critical factors of Remote Code Execution vulnerability and improper input handling. The experimental results are promising to motivate developers to focus on security enhancement through proper and safe input handling.