RADIOELECTRONIC AND COMPUTER SYSTEMS

The development of technologies leads to the expansion of the range of services provided on the Internet, the online business is actively developing. As a rule, when creating a new Web resource for business, the main emphasis is on the need to stand out among the sites of competitors. Often, the owners of Web resources understood the possible consequences of cyber-incident only after when their resource was attacked. This paper discusses the frequent causes of attacks of Web-applications created with the content management systems. A content management system allows to create sites without directly writing code. The main sources of information about frequent security problems of Web-resources are documents of organizations OWASP, SANS, Positive Technologies. Due to the high activity of intruders, it is necessary to create methods for assessing the security of the Web-application and methods for countering attacks. In the paper, the need to assess the probability of a successful attack of Web-applications is conditioned. In practice, it is impossible to determine all possible attack scenarios, because each Web-application has its own functionality. The frequent attack scenarios on which the tree was built are investigated. The method of estimating the probabilities of basic events using expert assessments based on the results of the preliminary implementation of a set of measures to identify the security problems is used. The developed method of assessing security allows to consider not only possible vulnerabilities in the source code, but also possible security policy violations. The proposed method can be applied by business entities working in the field of information security, when choosing security measures for a particular Web-application. A further direction of research is the development of a method for choosing countermeasures based on the described method. The method should demonstrate the effect of each countermeasure on the probability of a successful attack

attack tree; Web-application; content management system; unauthorized access; cybersecurity

López, J. M., Pascual, A., Masip, L., Granollers, T., Cardet, X. Influence of web content management systems in web content accessibility. IFIP Conference on Human-Computer Interaction, Springer, Berlin, Heidelberg, 2011, pp. 548-551.

Slider Revolution Plugin Critical Vulnerability Being Exploited. Available at: https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html (accessed 7.09.2018).

Rehman, H., Nazir, M., Mustafa, K. Security of Web Application: State of the Art. Information, Communication and Computing Technology. ICICCT 2017. Communications in Computer and Information Science, Springer, Singapore, 2017, vol. 750, pp. 168-180.

Nagaraju, V., Fiondella, L., Wandji, T. A survey of fault and attack tree modeling and analysis for cyber risk management. Technologies for Homeland Security (HST), 2017 IEEE International Symposium, 2017, pp. 1-6.

Du, S., Zhu, H. Security assessment via attack tree model. Security Assessment in Vehicular Networks, Springer, New York, 2013, pp. 9-16.

Lepofsky, R. The manager's guide to web application security: a concise guide to the weaker side of the web. Apress, 2014. 232 p.

Tetskyi, A., Kharchenko, V., Uzun, D. Analysis of the Possibilities of Unauthorized Access in Content Management Systems Using Attack Trees. Proc. PhD Symposium at ICTERI 2018, Kyiv, Ukraine, May 14-17, 2018, CEUR-WS, vol. 2122, pp. 16-25.

Avtomatizirovannyi analiz koda: statistika uyazvimostei veb-prilozhenii za 2017 god [Automated code analysis: Web application vulnerability statistics for 2017]. Positive Technologies. Available at: https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/PT-AI-Statistics-rus.pdf (accessed 7.09.2018).

Yu, X., Jiang, G. A Web Security Testing Method Based on Web Application Structure. Cloud Computing and Security. Lecture Notes in Computer Science, Springer, Cham, 2015, vol. 9483, pp. 244-258.

Zech, P., Felderer, M., Breu, R. Knowledge-based security testing of web applications by logic programming. International Journal on Software Tools for Technology Transfer, Springer, Berlin, Heidelberg, 2017, pp. 1-26.

National Vulnerability Database. Available at: https://nvd.nist.gov/ (accessed 7.09.2018).

Most Common Attacks Affecting Today’s Websites. Available at: https://blog.sucuri.net/2014/11/most-common-attacks-affecting-todays-websites.html (accessed 7.09.2018).