Web resource security analysis based on CVSS metrics

Based on the analysis of vulnerability data for web resources and the CVSS metric, the distribution of the average CVSS (Common Vulnerability Scoring System standard for calculating a numerical vulnerability score on a ten-point scale) score for the websites of theRepublicofBelaruswas studied. The hypothesis on the distribution of the CVSS vulnerability assessment according to Poisson's law was tested by chi-square criteria. It was found that about 10% of web resources from the original general of samples of 19000 size have a critical averaged assessment level of vulnerability. As part of this work an universal system for collecting technical information about active web resources on the Internet from public directories and registries has been developed. Specific search templates have been developed using RegExp JavaScript expressions to detect the versions of technologies that were used to create websites. Based on this data the percentage distribution of used technologies, top-level domains and the geographical location of the servers were calculated. Proposed system can be adapted to any unique conditions required by information security specialists to conduct a security audit of web resources.

1. Doinikova, E.V., Chechulin, A.A., & Kotenko, I.V. (2019). Otsenka zaschischennosti kompyuternyh setey na osnove metrik CVSS. // Informatsionno-upravlyayuschie sistemyi, (6), 76-87. DOI: 10.15217/issn1684-8853.2017.6.76 (in Russ.)

2. Li, Н., Zhao, L. Study on the distribution of CVSS environmental score. // 5th International Conference on Electronics Information and Emergency Communication. May 2015. DOI: 10.1109/ICEIEC.2015.7284502.

3. Bostic, T., Stanley J., Higgins, J., Chudnov, D., Montgomery, B., Brunell, J. Exploring the Intersections of Web Science and Accessibility. // The MITRE Corporation Scientific journal. Aug 2019.

4. Likarish, P., Jung, E. A targeted web crawling for building malicious javascript collection. // Proceeding of the ACM First International Workshop on Data-Intensive Software Management and Mining, Hong Kong, China, November 2009. DOI:10.1145/1651309.1651317.

5. Man, D., Yang, W., Yang, Y., Wang, W., Zhang, L., A Quantitative Evaluation Model for Network Security // Proc.of the 2007 Intern.Conf. on Computational Intelligence and Security.Dec 2007.P.773-777.