A security vulnerability exists in unsupported systems, and using applications supported by their maintainer help to reduce attacks based on such vulnerabilities. However, website administrators may ignore this exercise due to various reasons. This research measures the top 1,500 websites in Indonesia on how much of them are using supported applications to prevent such attacks, based on the application version number. The measurement is performed automatically using the Wappalyzer tool. From such measurement, we found that most of the applications detected do not contain version information (70%) or invalid version number (11%). We also found that more than half of the websites measured contain at least one unsupported application. In terms of the applications used, we found that many Nginx users worryingly do not keep their server version updated, while Apache and WordPress did a good job in keeping their users using the most recent version. This study highlights the need for website administrators to have their applications up to date to the supported versions, as well as for application developers to promote application updates to their users.

Measurement; Security; Websites

L. Bilge and T. Dumitras, “Before we knew it: An empirical study of zero-day attacks in the real world,†Proc. ACM Conf. Comput. Commun. Secur., no. October 2012, pp. 833–844, 2012. https://doi.org/10.1145/2382196.2382284

B. L. Bullough, A. K. Yanchenko, C. L. Smith, and J. R. Zipkin, “Predicting exploitation of disclosed software vulnerabilities using open-source data,†IWSPA 2017 - Proc. 3rd ACM Int. Work. Secur. Priv. Anal. co-located with CODASPY 2017, pp. 45–53, 2017. https://doi.org/10.1145/3041008.3041009

L. Zhang et al., “Analysis of SSL certificate reissues and revocations in the wake of heartbleed,†Commun. ACM, vol. 61, no. 3, pp. 109–116, 2018. https://doi.org/10.1145/3176244

A. Sarabi, Z. Zhu, C. Xiao, M. Liu, and T. Dumitraş, “Patch me if you can: A study on the effects of individual user behavior on the end-host vulnerability state,†Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 10176 LNCS, no. 1, pp. 113–125, 2017. https://doi.org/10.1007/978-3-319-54328-4_9

K. Vaniea, E. Rader, and R. Wash, “Betrayed by updates: How negative experiences affect future security,†Conf. Hum. Factors Comput. Syst. - Proc., pp. 2671–2674, 2014. https://doi.org/10.1145/2556288.2557275

D. K. Mulligan and F. B. Schneider, “Doctrine for cybersecurity,†Daedalus, vol. 140, no. 4, pp. 70–92, 2011. https://doi.org/10.1162/DAED_a_00116

S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, “When private keys are public,†p. 15, 2009. https://doi.org/10.1145/1644893.1644896

B. E. Sudarno; Purnama, “Analisis Penggunaan Tools Web Perguruan Tinggi,†Semin. Ris. Unggulan Nas. Inform. dan Komput., 2012.

C. Duarte, I. Matos, J. Vicente, A. Salvado, C. M. Duarte, and L. Carriço, “Development technologies impact in Web accessibility,†W4A 2016 - 13th Web All Conf., pp. 2–5, 2016. https://doi.org/10.1145/2899475.2899498

E. D. Alvarez, B. D. Correa, and I. F. Arango, “An analysis of XSS, CSRF and SQL injection in colombian software and web site development,†2016 8th Euro Am. Conf. Telemat. Inf. Syst. EATIS 2016, 2016. https://doi.org/10.1109/EATIS.2016.7520140

H. He, L. Chen, and W. Guo, “Research on Web Application Vulnerability Scanning System based on Fingerprint Feature,†vol. 61, no. Mecae, pp. 150–155, 2017. https://doi.org/10.2991/mecae-17.2017.27

N. A. Rakhmawati, S. Harits, D. Hermansyah, and M. A. Furqon, “A Survey of Web Technologies Used in Indonesia Local Governments,†Sisfo, vol. 07, no. 03, 2018. https://doi.org/10.24089/j.sisfo.2018.05.003

N. Demir, T. Urban, K. Wittek, and N. Pohlmann, “Our (in)Secure Web: Understanding Update Behavior of Websites and Its Impact on Security,†2021. https://doi.org/10.1007/978-3-030-72582-2_5

Alexa Internet Inc, “Alexa - Top sites.†https://www.alexa.com/topsites (accessed Mar. 06, 2020).

Amazon Web Services, “AWS Marketplace: Alexa Top Sites.†https://aws.amazon.com/marketplace/pp/Amazon-Web-Services-Alexa-Top-Sites/B07QK2XWNV (accessed Mar. 06, 2020).

E. Alias, “Download & Install - Wappalyzer.†https://www.wappalyzer.com/download/ (accessed Apr. 06, 2020).

M. T. Paracha, B. Chandrasekaran, D. Choffnes, and D. Levin, “A Deeper Look at Web Content Availability and Consistency over HTTP / S,†2020.

The PHP Group, “PHP: Supported Versions.†https://www.php.net/supported-versions.php (accessed Jul. 27, 2020).

ZURB Inc, “Foundation for Sites 6 Docs.†https://get.foundation/sites/docs/ (accessed Jul. 27, 2020).

Microsoft, “Search Product and Services Lifecycle Information - Microsoft Lifecycle | Microsoft Docs.†https://docs.microsoft.com/en-us/lifecycle/products/ (accessed Jul. 27, 2020).

Yahoo Engineering, “Important Announcement Regarding YUI | Yahoo Engineering.†https://yahooeng.tumblr.com/post/96098168666/important-announcement-regarding-yui (accessed Jul. 27, 2020).

OpenSSL Software Foundation, “Release Strategy.†https://www.openssl.org/policies/releasestrat.html (accessed Jul. 27, 2020).

Software in The Public Interest, “Debian -- Debian Releases.†https://www.debian.org/releases/ (accessed Jul. 27, 2020).

R. Fielding and J. Reschke, “Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content,†Internet Engineering Task Force, 2014. https://tools.ietf.org/html/rfc7231 (accessed Feb. 26, 2021). https://doi.org/10.17487/rfc7231

S. Özkan, “CVE security vulnerability database. Security vulnerabilities, exploits, references and more.†https://www.cvedetails.com/ (accessed Jul. 24, 2020).

Lexico.com, “Legacy | Definition of Legacy by Oxford Dictionary on Lexico.com also meaning of Legacy.†https://www.lexico.com/definition/legacy (accessed Mar. 06, 2020).

Automattic, “Releases | WordPress.org.†https://wordpress.org/download/releases/ (accessed Jul. 29, 2020).

P.-H. Kamp, “Releases & Downloads — Varnish HTTP Cache.†http://varnish-cache.org/releases/ (accessed Jul. 27, 2020).