KIT | KIT-Bibliothek | Impressum | Datenschutz

How to best inform website owners about vulnerabilities on their websites

Hennig, Anne ORCID iD icon 1; Neusser, Fabian; Pawelek, Aleksandra Alicja; Herrmann, Dominik; Mayer, Peter ORCID iD icon 1
1 Institut für Angewandte Informatik und Formale Beschreibungsverfahren (AIFB), Karlsruher Institut für Technologie (KIT)

Abstract (englisch):

Background. Content management systems (CMS) provide default features that make it easy even for laypersons to create and maintain sophisticated websites [3]. But a CMS also poses a security risk. Not only can the CMS’s framework itself contain vulnerabilities. Also, there is a vast number of plugins and templates that may introduce vulnerabilities [3, 5]. We are looking for websites that are vulnerable to search engine Spam (SEO Spam) or Pharma Hacks, where an attacker deploys code on a website to redirect to fake web shops [11, 12]. The manipulation is not visible on the
genuine website, but the sites appear in the search engine results as shops selling illegal or banned drugs / medicines, luxurious brand-name clothing, or expensive appliances for cheap. Often, the malicious code is hidden within the CSS files of a website and cannot be easily found – even by skilled developers [11].

Aim. Since the problem is not easy to detect and only visible in a website’s search results, most website owners have to rely on vulnerability notifications by the security community to be informed about the manipulation. In trying to create suitable vulnerability notifications, with which we could inform the website owners about the security issues, we conducted 25 semi-structured interviews with affected website owners and discussed the perception of vulnerability notifications with them. ... mehr

Volltext §
DOI: 10.5445/IR/1000157146
Veröffentlicht am 21.03.2023
Cover der Publikation
Zugehörige Institution(en) am KIT Institut für Angewandte Informatik und Formale Beschreibungsverfahren (AIFB)
Kompetenzzentrum für angewandte Sicherheitstechnologie (KASTEL)
Publikationstyp Poster
Publikationsjahr 2022
Sprache Englisch
Identifikator KITopen-ID: 1000157146
HGF-Programm 46.23.01 (POF IV, LK 01) Methods for Engineering Secure Systems
Veranstaltung European Symposium on Usable Security (EuroUSEC 2022), Karlsruhe, Deutschland, 29.09.2022 – 30.09.2022
Projektinformation INSPECTION (BMBF, 16KIS1113)
Externe Relationen Folien/Poster
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
KITopen Landing Page