14th IEEE International Conference on Computational Intelligence and Communication Networks
Web Application Security Threats and Mitigation
Strategies when Using Cloud Computing as Backend
2022 14th International Conference on Computational Intelligence and Communication Networks (CICN) | 978-1-6654-8771-9/22/$31.00 ©2022 IEEE | DOI: 10.1109/CICN56167.2022.10008368
Asma Yamani
Information and Computer Science Information and Computer Science
KFUPM
Dhahran, Saudi Arabia Dhahran, Saudi Arabia
g201906630@kfupm.edu.sa g202115030@kfupm.edu.sa
Abstract—Cloud computing plays an important role in busi-
nesses’ digital transformation as they offer easy-to-use services
that save time and effort. Despite incredible features that are
provided by cloud computing platforms, these platforms become
the desirable target of attackers. This study aims to survey
the literature for security threats related to web applications
that have been developed using cloud computing services and
then provide a set of recommendations to mitigate these threats.
In this study, we first surveyed the literature for documented
cases of threats faced while relying on cloud computing, then an
online survey was sent to Computer Science students and web
developers. The survey’s questions were related to web threats
whether they are aware of these threats or not and whether
they have already applied any prevention measures for these
threats. Then, a set of recommendations were provided that can
help them to mitigate these threats. Finally, a tool was designed
for generating security policies for the Broken Access Control
threat for Firebase. Eighty-five responses were considered for
this study. The average participants’ awareness of all threats
is 61 % despite 92% of participants having taken at least one
security course. The main causes for neglecting to implement
mitigation techniques was the lack of training and that developers
are relying on the web services to provide security measures,
then comes the process being time-consuming. The designed
tool for mitigating Broken Access control showed promising
results to ease the implementation of mitigation techniques. We
conclude that due to the lack of awareness and negligence in
implementing mitigation techniques, many present web apps
may be compromised. Developing security tools for novice users,
whenever possible, provides a solution for the main causes of the
neglect to implement such measures and should be investigated
further.
Index Terms—Cloud Computing, Web Security Threats,
OWASP, Firebase, Google Cloud, AWS, Microsoft Azure.
I. I NTRODUCTION
Since the early 2000s, cloud computing has played a cru-
cial role in businesses’ digital transformation. This trend has
increased further with the popularity of remote work during
the COVID-19 crisis [1]. According to Cisco statistics in
2021, 94% of all enterprises around the world rely on cloud
computing services for their businesses [2], as they provide
very easy-to-use and well-prepared services that help in saving
their time and energy. Despite different security measures
and features in place with cloud services, these platforms
978-1-6654-8771-9/22/$31.00 ©2022 IEEE
DOI: 10.1109/cicn.2022.139
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
Khawlah Bajbaa Reem Aljunaid
Information and Computer Science
KFUPM KFUPM
Dhahran, Saudi Arabia
g202102170@kfupm.edu.sa
are subject to cyber-attacks that target both individual and
corporate data. Multiple incidents have been reported recently
such as in 2018 when millions of user app data were leaked
due to Firebase database misconfigurations [3]. In a close-in-
time incident, dating app information was leaked containing
sensitive information [4]. Unfortunately, college undergrads
have little awareness of all these threats that they may face
while using these services [5].
Therefore in this study, we investigate web application
security threats when using cloud computing as a backend
further by: (1) Surveying the literature for the security threats
that face the availability, confidentiality, integrity of web
applications built upon cloud computing platforms based on
the top 10 web application security threats. (2) Extending the
study of [5] by surveying graduate students and developers at
different company sizes and experiences and more specifically
for the case of using cloud computing. (3) Providing a set of
guidelines for novice web developers that help them mitigate
these threats. (4) Developing a tool for implementing one
of the security prevention measures for one of the identified
threats. The contribution of this work is as follows: (1)
Conduct and analyze a survey of 85 included participants
concerning the OWASP threats awareness. (2) Compile a
set of 72 recommendations to mitigate the Top 10 OWASP
threats. (3) Designing and evaluating a tool for implementing
a mitigation technique for the top security threat in 2021. The
rest of this paper is as follows: in Section II, we introduce
some background on the topics. in Section III, we present
some related work to our study. Then in Section IV, we the
methodology of this work. In Section VI, we present the
compiled recommendations related to the threats. In Section
VII, we present the prototype of a proposed tool to mitigate
the top threat and then evaluated it. Finally, in Section VIII,
we conclude and set some future directions.
II. BACKGROUND
A. OWASP
The open web application security project (OWASP) Foun-
dation is a non-profit organization that seeks to enhance
811
software security [6]. The OWASP offers open-source projects
and security tools to help the developers to improve the
security of their software [6]. In addition, it provides training
and educational conferences about the new trends in the
industry. Moreover, more than 250 local chapters offered to
build a community for security professionals worldwide [6].
The OWASP is considered the source for developers to secure
their web applications.
B. OWASP Top Ten Web Threats
1) Broken Access Control: Failure of access control that
allows users to act outside of their intended privileges.
Consequently, this leads to unauthorized data modifica-
tions and disclosure [6].
2) Cryptographic Failures: insufficient cryptography level
because of storing and transmitting sensitive data in
clear text, using weak or old cryptographic algorithms,
or using default encryption keys [6].
3) Injection: is the process of injecting the malicious code
into the system to fetch all information that resides in
the database. This kind of attack can take place when
dynamic queries are used or when users’ data are not
validated [6].
4) Insecure Design: risks related to architecture and design
flaws during the software development cycle including
generating error messages with sensitive data [6].
5) Security Misconfiguration: improper configuration of
security controls in the system including, applying the
default setting, unnecessary features are enabled such
as unused accounts, unnecessary ports, and unnecessary
privileges [6].
6) Vulnerable and Outdated Components: risks related to
the use of components with known vulnerabilities, out-
dated and unsupported components. That includes an
operating system, libraries, and packages [6].
7) Identification and Authentication Failures: risks related
to improper implementation of users’ authentication and
session management. That includes permitting weak
passwords, using weak password hashing, and use of
ineffective forgot-password processes [6], [7].
8) Software and data integrity failures: failures related to
infrastructures that do not protect the software from
integrity violation. That can happen when an application
relies on libraries and plugins from untrusted reposito-
ries, sources, and content delivery networks (CDNs) [6].
9) Security Logging and Monitoring Failures: insufficient
level of logging and monitoring of active security in-
cidents making the suspicious activities difficult to be
detected due to inadequate implementation of logs for-
mat and lack of logs backups [6], [7].
10) Server-Side Request Forgery (SSRF): the result of at-
tackers’ misuse of the server’s functionality to access or
modify the internal data by altering or supplying a URL.
The attacker can prompt the server code to submit data
812
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
or read from it and could gain access to private server
settings [8].
C. Cloud Computing Platforms
Nowadays, several cloud computing-based platforms allow
businesses to use computing resources with many advantages.
The most widely used cloud computing-based platforms are
listed below:
1) Amazon Web Services (AWS): AWS is one of the
most popular cloud platforms, that provides cloud-based
products including Storage, IoT, Networking, analytics,
Developer Tools, and Databases. AWS offers over 200
services with pay-as-you-go pricing such as AWS Man-
agement Console, Dynamo Database, Simple Storage
Services (S3), Simple Email Services (SES), Front-
End Web Mobile Services, Blockchain, and Machine
Learning services [9].
2) Google Cloud Platform (GCP): Google Cloud is the
most comprehensive and widely used platform, it has
two main cloud offerings, Google Cloud Platform (GCP)
and G Suite besides Back-end services. GCP offers
Infrastructure as a Service (IaaS) and Platform as a
Service (PaaS) that allow businesses to run their appli-
cations on Google’s cloud such as Cloud Management,
Computations, Networking, Storage, Machine Learning,
and Big Data. The G Suite provides Software as a
Service (SaaS) products that consist of security tools,
communication, collaboration, and productivity [10].
The Back end as a Service (BaaS) like Firebase Realtime
Database, which provides data storing and syncing JSON
data. In addition, it allows users to access it in real-time
with the advantage of working offline so when customers
modifying in their applications it will synchronize it
once the connection is restored [11].
3) Microsoft Azure: Microsoft Azure is one of the popular
cloud platforms, that offers over 200 services and other
functionalities that empower organizations to expand
and grow their businesses. Azure services are classified
as follows: (1) Infrastructure as a service (IaaS) such
as Networking firewall, Servers, Data Center Physical
Building, and Storage.(2) Platform as a Service (PaaS)
which is used to avoid complexity in managing the
application licenses and middleware like Operating sys-
tems, Development Tools, Database Management, and
Business analytics. (3) Software as a Service (SaaS) that
offers cloud applications that users can access from a
web browser, for example, Office 365 [12].
III. R ELATED W ORK
Web application security when using cloud computing is
a shared responsibility between the cloud service consumer
(CSC) and the cloud service provider (CSP) [13]. Neglection
from any party may result in violation of the 3 important
properties of data security: Confidentiality, Integrity and Avail-
ability, which are called CIA triad [14]. In this review, we
explore the top security threats ranked by the OWASP Top 10
project triad when it comes to web applications using cloud
computing services as backend [6].
When it comes to the top threat, access control, and man-
agement, it became the CSPs responsibility to provide a strong
authentication mechanism that not only authenticates users
but also the machines for backend jobs such as backups and
remote systems monitoring [15]. Whilst on the cloud service
consumer side, the consumer should adopt these authentication
services and avoid trying to implement authentication mecha-
nisms by themselves. As attackers usually target accounts with
high access management, enforcing fine-grained access control
rules are important to limit the threats to the CIA triad [6]. A
recent study conducted an experiment including around 50,000
android applications from the top 10 applications on different
categories across multiple years that uses Firebase found out
that 4-8% of the apps, depending on the year, did use public
databases in which the majority did not have any restrictions
on the write operations that included creation, deletion, and
updating the records [16]. Although cloud adoption lowers
infrastructure costs and improves operational efficiency, these
benefits come with inherent risks. A growing amount of
confidential and sensitive information for both clients and
corporate is being stored in the cloud. UpGuard, the world’s
first cybersecurity startup, discovered that Accenture had left
at least 4 AWS S3 storage buckets unsecured in 2017 leaving
large amounts of data, including unbridled authentication in-
formation, API data, digital certificates, decryption keys, and
meta data exposed [17].
SQL injections are extremely popular among web applica-
tions in general. When it comes to web applications relying on
cloud computing services the risk is different in many cases
as most of the popular databases rely on NoSQL database
formats. Although they are immune from SQL injection as they
don’t use the SQL language, they are exposed to NoSQL in-
jections that similar to SQL injections rely on suspicious input
execution on the server. A study focused on NoSQL attacks il-
lustrated several attacks that can be carried out on MongoDB, a
popular NoSQL cloud computing service [18]. These attaches
include: PHP Tautologies injection, Union Queries, Javascript
injections, Piggy-backed Queries, and Origin violation through
HTTP REST API [18]. The study conducted by Andrea
Continella et al. [19] investigated the misconfiguration in the
Amazon Simple Storage Service (S3) bucket which is one of
the most popular cloud storage services. In this study, they
focused on how attackers could take the advantage of an
unsecured S3 bucket to inject malicious content into websites
that rely on S3 cloud service. Based on the subset buckets they
analyzed in June 2018, 8.46 percent are readable, 11.01 percent
of S3 buckets are public, and 2.29 percent are writable. Among
these buckets they found, there was a readable bucket that
813
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
might be leaking sensitive data like private keys. In addition,
they identified, that among 5,196 sites, 39 are vulnerable to
malware and 175 of these sites are vulnerable to defacement.
Based on the published report by UpGuard security re-
searchers in Jan 2021, Amazon Simple Storage Services (S3)
has design flaws that lead to sensitive data breaches in many
companies. For example, GoDaddy, the largest company for
domain name registration, details related to configuration
information were exposed in a publicly readable S3 bucket
including operating system, AWS region, hostname, CPU
spaces, and memory. Also, 73 GB of data belonging to
Pocket iNet, an internet provider company, was exposed in
leaky S3 buckets including employees’ AWS secret keys,
configuration details, plain-text passwords, and some images
related to cabling and router [20]. The use of vulnerable and
outdated components like libraries and frameworks facilitates
data exposure andservertakeover. In September 2017, the Fed-
eral Trade Commission reportedan Equifax Data Breach that
allows the attacker to steal more than 147 million records of
personal information with a cost of up to 425 million dollars
to compensate for this data breach. The entry point of the
attacker to the Equifax network was through the vulnerabilities
in the version of the Apache Struts framework [21]. In 2010,
Amazon Wireless faced a cross-site scripting attack, which
allowed attackers to steal the session IDs that are used to give
users access to their accounts after entering their passwords
which, in turn, revealed the credentials of the users to hackers.
Amazon eventually fixed the bug, but after 12 hours, so many
users unknowingly fell for the attack during that time [22]. In
2016, Uber announced that its Amazon Web Services (AWS)
account had been hacked, exposing the personal information of
57 million users [23]. Also, one of Microsoft’s cloud databases
was breached in 2019, compromising 250 million entries, such
as email addresses, IP addresses, and support case information
[24]. Additionally, cloud computing services reduce the users’
visibility and control over their processes and activities as
some of the policies and infrastructure will be managed by
cloud service providers. Log4j 2 is an open-source Apache
framework and a commonly used component for logging
requests. In 2021, there was a Log4j vulnerability reported
on Google Cloud products that could allow an attacker to
execute arbitrary code on servers running version 2.15 or
below. Several recommendations were provided by Google
Cloud for investigating and remediating this vulnerability [7].
In 2019, Paige Thompson exploited SSRF vulnerability in
Capital One which had an internet-facing web application
deployed on AWS EC2 instances. The vulnerability in the
application firewall allowed her to access non-public AWS
cloud endpoints [25].
IV. M ETHODOLOGY
First, the literature was surveyed for the security threats that
face the availability, confidentiality, and integrity of web ap-
plications built upon cloud computing platforms and based on
the top 10 web application security threats. We then, surveyed
to measure the level of awareness of the web developers and
CS students about all these different security threats that may
face web applications when using cloud computing service
platforms. Based on the results found from the survey, we
found that most of the developers are not aware of these
threats, and to help them to mitigate these threats we provided
them with a set of recommendations and mitigation techniques.
Moreover, we designed a tool for implementing one of the
security prevention measures for one of the identified threats
that the web developers had a low level of awareness about.
Following that, we evaluated the designed tool with 7 users,
and based on their feedback we enhanced the functionalities Fig. 1. Percentage of awareness per threat
and interface of the tool.
V. AWARENESS S URVEY
We received 97 responses, out of the 12 that were considered
to be invalid for choosing contradicting answers. Therefore,
85 responses were considered in this survey. 48% of the
participants have developed 1-3 web apps, while 11.7% have
developed more than 3 apps, and the rest did not develop any.
When it comes to the occupation, 40 of the participants were
either CS undergraduate students or graduate students, while
35 were working in the IT sector and 10 were fresh graduates
yet to be employed. When it comes to the awareness level
of participants by threat, we notice that illustrated in Figure
Fig. 2. Percentage of awareness per threat by number of developed apps
1, the top 2 security threats ranked by OWSAP were among
the three least three threats in terms of awareness, which is
alarming. There were also 10 participants who thought for after was that developers are relying on the web services
some threats using cloud computation servers are immune. The to provide security measures with 51 votes, then comes the
average awareness for the participants across threats is 61%, process being time-consuming with 38 votes. It is costly and
which is very low given that 92% have taken at least 1 security They believe it is not necessary to have the same place then
course. However, it was noticed that number of developed apps lastly with only 15 votes, participants thought that these threats
was a key factor more than the number of courses taken or are not commonly known concepts. The breakdown of the
the current occupation as, illustrated in Figure 2, participants causes by occupation is in Figure 3, and by the number of
with more than 3 apps had an average awareness percentage of developed apps is in Figure 4.
83%, while participants having 1-3 apps had a 61% awareness
level. Lastly came the participants who have not developed any VI. P ROPOSED R ECOMMENDATIONS
web apps with only 53% awareness level, despite 35% of them
working in midsize - large companies and 91% of them taking As Cloud Computing is seen as a flexible, cost-effective,
a course or more in security. and proven platform for delivering different services to both
Out of the 41 participants who have developed 1-3 apps, 7 individuals and businesses. However, due to the fact that cloud
said they implemented mitigation techniques for 2 or more computing is often outsourced, it poses a higher level of risk
of the threats, 9 said they have faced 2 or more of the that makes it harder for people and organizations to ensure
aforementioned threats, which corresponds to 17% and 22%, data confidentiality, integrity, and availability. Generally, Cloud
respectively. When it comes to the 10 participants who have Computing does not differ much from any other IT envi-
developed more than 3 apps 4 said they implemented miti- ronment in terms of security controls. Nevertheless, Cloud
gation techniques for 2 or more of the threats, 3 said they Computing may pose different risks to an organization than
have faced 2 or more of the aforementioned threats, which traditional IT solutions, due to the types of cloud services
corresponds to 40% and 30%, respectively. This result is used, the operational models, and the technologies used to
expected as with more experience, developers are becoming enable the cloud services. In this light, in Tables I, we present
more likely to implement mitigation strategies or unfortunately guidelines that help both individuals and organizations secure
face such threats. The main cause across all the groups was that their web applications on Cloud Computing, and all the iden-
it was due to the lack of training with 60 out 85 votes. Coming tified recommendations and guidelines were countermeasures

814

Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
 Fig. 3. Causes of not implementing mitigation techniques by occupation

request. It has two sub-levels: Get Read requests for single

documents or files, and List Read requests for queries and
collections. (2) Write: Any type of write request. It has three
sub levels: create Write new documents or files, update Write
to existing database documents or update file metadata, and
delete Delete data. There are 2 variables that those access
levels can be conditioned on: (1) request: holds information
about the authentication status and id of the requester. It also
holds the path of the resource being requested. (2) resource:
holds information about the data being requested and can be
used to condition the access level based on the attribute.
Fig. 4. Causes of not implementing mitigation techniques by number of web
apps developed
B. Tool Requirements

to the recent Web Application Security threats identified by
OWASP organization in 2021.
VII. F IREBASE S ECURITY RULES G ENERATION T OOL
Broken access control is the top security threat on the
OWASP Top list. Unfortunately, only 2 of the 10 participants,
who had developed more than three apps did implement proper
mitigation strategies for this issue. 15 of the 45 participants
who had developed one to three apps are not aware of the
issue. Four thought that cloud computing services are immune
to this issue. Five out of the 45 participants did face this
issue. Only 3 of the 45 participants did implement proper
mitigation strategies for this issue. Enforcing security policy
rules by applying the least privileged policy is a key to
mitigating broken access control. As 70% of the overall survey
participants stated that lack of proper training is a reason
for not implementing mitigation techniques and 44% of them
mentioned that they are time-consuming, with this tool we aim
to provide a way that does not require a lot of training and is
not time-consuming to implement the first mitigation strategy
of broken access control.
A. Firebase Security Rules
Firebase security rules provide a flexible way to secure the
user resources, such as Cloud Firestore and Cloud Storage. It
uses a unique language built to accommodate complex rules
to the level of granularity that a specific app requires [11].
It has two main access levels: (1) Read: Any type of reading
1) The system should be able to link the user’s firebase
account.
2) The system should allow the user to add or remove
collections.
3) The system should pull the attributes of the collection
automatically.
4) The system should allow the user to add attributes
manually.
5) The system should have read, get, list write, update,
delete, create, access level options.
6) The system should have all users, authenticated users,
and users with id types of users options.
7) The system should be able to allow access levels for a
certain user on a certain collection.
8) The system should be able to revoke access levels for a
certain user on a certain collection.
9) The system should be able to allow updates for a certain
attribute for a certain user on a certain collection.
10) The system should aggregate the access policy by col-
lection level and generate the policy.
11) The generated policy shall not allow write access to all
documents for all users.
12) The system shall produce a warning if write access
was allowed for a certain collection for all users or
authenticated users.
13) The system should allow exporting a generated policy.
14) The system should allow loading a policy.
15) The system should allow adding custom policy rules.

815
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
 TABLE I
R ECOMMENDATIONS IN W EB A PPLICATION D EVELOPMENT ON C LOUD C OMPUTING .

Threat ID Threat Recommendation

- Apply least privilege policies where minimum access rights are assigned for each user type to achieve their tasks to avoid any
unauthorized data modification or deletion.
- Enable limited login attempts to your web application to avoid brute-force attacks.
- Enable web session duration for each logged-in user.
- Enforce multi-factor authentication in password resets whenever possible. [26]
A01:2021 Broken Access Control
- Utilize cloud-based access controls whenever possible (e.g., a CSP that handles virtual machine authentication) [26]
- Audit access logs for security issues with automated tools. [26]
- Avoid storing API keys in version control systems where they might be unintentionally leaked. [26]
- Set up automated data classification to categorize data based on sensitivity and critically which helps to specify access and
protection controls [13].
A02:2021 Cryptographic Failures - Set up encryption data at rest to reduce the unauthorized access risk to your data [13].
- Set up encryption data in transit to ensure data integrity and confidentiality during transmission [13].
- Enable data tokenization to replace actual sensitives data values with non-sensitive [13]
- Disable caching for sensitive data to avoid data exposure.
- Set up the policies of AWS Web Application Firewall, if you are using AWS, and create SQL Matching conditions to specify
A03:2021 Injection which part of the web request you want the AWS WAF to inspect.
- Configure the policies of Google Cloud Armor, if your web application is hosted in GCP, to filter the incoming traffics and
protect your web application from common injection attacks [7].
- Enable Data Validation Tool to verify the user input.
- Apply unit testing to validate each component works correctly independently of others.
A04:2021 Insecure Design - Apply integration testing to validate that the components of your web application interact with each other properly.
- Use Apigee google product, if your web application is hosted in GCP, which provides many configurations to protect and limit
access to resources [7].
- Change the default password and username.
- Use Apigee google product, if your web application is hosted in GCP, to manage and monitor security configurations [7].
- Enable real-time notification to alert you if any resources are improperly secured [7].
- Disable unused services, and packages, and delete unused accounts as they will increase the misconfiguration vulnerabilities
in your web application.
A05:2021 Security Misconfiguration
- Detect misconfigurations in cloud service policies using cloud or third-party tools. [26]
- Audit access logs for security issues with automated tools. [26]
- Utilize cloud service policies to ensure resources are defaulted as private. [26]
- Eliminate unnecessary dependencies, components, files, and documentation [27].
- Utilize tools like retire.js, OWASP Dependency-Check, versions, etc. to track the versions of both client-side and server-side
components.
- Monitor for vulnerabilities in components using sources like the National Vulnerability Database and Common Vulnerability
and Exposures (CVE).
A06:2021 Vulnerable and Outdated Components - Monitor for outdated libraries included in your web application using Web Security Scanner [7].
- Check for unmaintained libraries and components that do not produce security patches for older versions. In case patching is
not possible, consider deploying a virtual patch to monitor, detect, or prevent the problem by using Google Cloud Armor [7].
- Select cloud offerings whose critical components have been assessed according to National Information Assurance standards.
[26]
- Use Cloud Load Balancing if possible to assign a predefined list of known-vulnerable SSL or TLS ciphers to prevent using
them in any components of the system [7].
- Enable multi-factor authentication to your web app where possible to add an extra layer of security [26].
- Make sure no default credentials are shipped or deployed, especially for admin users.
- Comply with National Institute of Standards and Technology 800-63b guidelines regarding password length, complexity, and
rotation.
A07:2021 Identification and Authentication Failures - Use the same messages for all account outcomes to protect against account enumeration attacks.
- Ensure that failed login attempts are limited or increasingly delayed using smart lockout [28].
- Use of specific tools to filter out any automation forms from accessing the system, like reCAPTCHA Enterprise in Google
cloud [7].
- Make sure to create a new random session identifier with high entropy after logging in using a built-in session, secure,
server-side manager. Also, make sure the session ID is securely stored and doesn’t exist in the URL. [7].
- Make sure the software or data has not been modified and is from the expected source. [7]
- Make sure the software pipeline has a review process for code and configuration changes to prevent malicious code and
configuration from being introduced by enabling change tracking in your cloud. [29]
A08:2021 Software and Data Integrity Failures
- Make sure the CI/CD pipeline has correct separation, configuration, and access control to guarantee the integrity of the code
flowing through the build and deployment processes by using API Management tool. [30]
- Serialized data should not be sent to untrusted clients without a means to detect tampering or replay through some form of
integrity check [7] or digital signature [7].
- Be sure that all login, access control, and server-side input validation failures can be adequately logged with sufficient context
for identifying suspicious accounts and holding them for a long enough time to allow for delayed forensic analysis by using,
A09:2021 Security Logging and Monitoring Failures
for example, Cloud Identity logs in Google Cloud. [7]
- Make sure log data is correctly encrypted to prevent injections or attacks on monitoring or logging systems, like in AWS, it
encrypted Log group data in CloudWatch Logs [13].
- Integrity controls must be in place on high-value transactions [28].
- Consider adopting the National Institute of Standards and Technology (NIST) 800-61r2 [28] or later as incident response and
recovery plan.
- Reduce the impact of SSRF by segmenting servers from other resources by using for example VPC Service Controls in Google
cloud. [7]
- Filter and block SSRF attacks by using LFI or RFI [7].
- Block all but essential intranet traffic using “deny by default” firewall policies or network access control rules [7].
- Ensure that all input data supplied by the client is sanitized and validated before the input is sent.
A10:2021 Server-Side Request Forgery - Stop redirecting HTTP requests.
- Maintain consistent URLs so that you can avoid ”time of check, time of use” (TOCTOU) race conditions and domain rebinding.

816
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
C. Illustrative example
Sama is developing a simple web application for people
who like to document their travel. She is using Firebase for
her database. She heard about the web application Broken
access control threat where unauthorized users may be able
to delete all entries of the database. She wants to make sure,
that although all users can view the web application, not all
users can modify it. She read that writing a security policy
helps in mitigating this threat, but with different levels of
access, she feels this might be confusing and time-consuming.
Therefore, she was trying to look for a tool that with minimum
writing efforts on her side, can yield the best protection.
Hence, she uses the Firebase access control policy tool to
generate the security policy based on the database description
and constraints listed below. The database of her app consists
of 3 collections (tables):
1) User: Contains all the information related to a single
user, except for the password. Once signed up and
authenticated a new document is created. It uses the
user’s authentication unique identifier as the document
Id. As it does not store the password all users are able
to perform read operations. However, only the user can
update the fields. No one can delete any document.
2) TouristJournal: it contains the basic information about
a collection of journal entries. A user may have multiple
journals based on the city he/she is visiting. All journals
have a createdBy attribute that contains the user’s au-
thentication unique identifier. Authenticated users may
follow a certain journey to get notified about new entries.
The creator of the journal has all write permissions to
his/her journal.
3) JournalEntry: it contains the title and the body of
the entries. All journals have a createdBy attribute
that contains the user’s authentication unique identifier.
Authenticated users may like an entry to show their
excitement and support. The creator of the entry has all
write permissions to his/her entry.
D. Tool Evaluation Experimental Design
The evaluation of the tool was done by inviting 7 partici-
pants who have never implemented an access control policy
for user testing, on the prototype. The concept of the tool was
explained in 3-5 minutes. Then the participants were asked to
assign the access control policy related to the JournalEntery
from the aforementioned scenario. The completion time was
measured as well as the success rate. Afterward, an informal
interview was conducted to understand the difficulties and get
the participants’ suggestions.
E. Tool Evaluation Results and Analysis
All the 7 participants were able to set the 3 access levels
required for the JournalEntery collection in an average of
12.5 minutes. They all thought that generating the access
817
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
control using the tool is easier and less prone to error than
writing the policy in code. The level that caused the most
confusion was setting the access control conditioned on the
value of the ’createBy’ attribute.Some suggestions were made
to improve the tool related to the terminology used and the
positions of some of the icons. A short tutorial was suggested
at the start of the tool to explain the basic concepts of access
control. Only one user did absorb the concept of a hierarchy
of the access levels and the inheritance from broader groups
to a more refined level of users while the others did perform
more steps than required to allow access to the read level for
example for each user. Another thing to note was that although
all participants were graduates students, the implementation
concepts were new to them which emphasizes what was
discussed before on the lack of awareness among students.
VIII. C ONCLUSION
Applying prevention measures to cloud-based web appli-
cations should be taken seriously. The result of the survey
literature in this study reveals that many threats and vulner-
abilities were reported in cloud computing services. These
threats differ in risk level from low, to medium to high. In
this paper, we performed a comprehensive analysis of CS
students’ and developers’ awareness of web threats in cloud
computing. We provided a set of recommendations to mitigate
threats to cloud-based web applications. We developed a tool
that generates security rules for the Broken Access Control
threat in Firebase. For future work, we plan to implement the
designed tool and release it to contribute to the overall safety
of web applications using Firebase. We also think that similar
tools can be developed for other mitigation techniques.
ACKNOWLEDGEMENTS
The authors would like to acknowledge the support of King
Fahd University of Petroleum and Minerals to complete this
work. The authors would like to thank also Dr. Rabeah Al-
Zaidy for her valuable feedback and comments to improve the
paper.
R EFERENCES
[1] Z. R. Alashhab, M. Anbar, M. M. Singh, Y.-B. Leau, Z. A. Al-Sai, and
S. A. Alhayja’a, “Impact of coronavirus pandemic crisis on technologies
and cloud computing applications,” Journal of Electronic Science and
Technology, vol. 19, no. 1, p. 100059, Mar. 2021.
[2] “Global cloud index projects strong multicloud traffic growth —
the network.” [Online]. Available: https://newsroom.cisco.com/press-
release-content?articleId=1908858/
[3] “Millions of users’ data leaked through misconfigured firebase
backends.” [Online]. Available: https://www.xda-developers.com/user-
data-leak-misconfigured-firebase-backends/
[4] “Donald daters, a dating app for trump supporters,
leaked its users’ data — techcrunch.” [Online]. Avail-
able: https://techcrunch.com/2018/10/15/donald-daters-a-dating-app-for-
trump-supporters-leaked-its-users-data/
[5] T. Srivatanakul and F. Annansingh, “Incorporating active learning activ-
ities to the design and development of an undergraduate software and
web security course,” Journal of Computers in Education, vol. 9, no. 1,
pp. 25–50, Jun. 2021.
[6] “OWASP,” 2021. [Online]. Available: https://owasp.org/
 Fig. 5. Firebase Access Control Policy Generation Tool

[7] “Google cloud.” [Online]. Available: https://cloud.google.com [19] A. Continella, M. Polino, M. Pogliani, and S. Zanero, “There’s a hole
[8] S. McElroy, “Detecting server-side request forgery attacks on amazon in that bucket! a large-scale analysis of misconfigured s3 buckets,”
web services,” vol. 18, pp. 34–41, 02 2020. in Proceedings of the 34th Annual Computer Security Applications
[9] J. Varia and S. Mathew, “Overview of Amazon Web Services Conference, 2018, pp. 702–711.
(Survey Report),” no. January, pp. 1–30, 2014. [Online]. Available: [20] K. Sen, “S3 security is flawed by design,” 2022. [Online]. Available:
http://media.amazonwebservices.com/AWS Overview.pdf https://www.upguard.com/blog/s3-security-is-flawed-by-design
[10] G. Cloud and A. P. Standard, “Google Cloud ’ s Response to APRA [21] “Equifax data breach settlement,” February 2022.
Prudential Standard Cloud Whitepaper,” no. January, 2018. [22] S. S. Tirumala, H. Sathu, and V. Naidu, “Analysis and prevention
of account hijacking based incidents in cloud environment,” in 2015
[11] “Firebase Realtime Database — Store and sync data in real time.”
international Conference on Information Technology (ICIT). IEEE,
[Online]. Available: https://firebase.google.com
2015, pp. 124–129.
[12] “WHITEPAPER Azure Fundamentals.” [Online]. Avail- [23] D. Lee, “Euber concealed huge data breach,” November 2017. [Online].
able: https://www.softlanding.ca/wp-content/uploads/2020/06/Azure- Available: https://www.bbc.com/news/technology-42075306
Fundamentals-Whitepaper.pdf [24] M. X. Heiligenstein, “Microsoft data breaches: Full time-
[13] “Archived amazon web services,” 2020. [Online]. Available: line through 2022,” March 2022. [Online]. Available:
https://aws.amazon.com/ https://firewalltimes.com/microsoft-data-breach-timeline/
[14] P. R. Kumar, P. H. Raj, and P. Jelciana, “Exploring data security issues [25] “Top threats to cloud computing: Egregious eleven
and solutions in cloud computing,” Procedia Computer Science, vol. deep dive,” September 2020. [Online]. Avail-
125, pp. 691–697, 2018, the 6th International Conference on Smart able: https://cloudsecurityalliance.org/artifacts/top-threats-egregious-11-
Computing and Communications. deep-dive/
[15] “Top 3 cloud security trends for 2019 revealed in new report — syn- [26] “Mitigating cloud vulnerabilities,” 2020.
opsys.” [Online]. Available: https://www.synopsys.com/blogs/software- [27] J. Michener, “Security issues with functions as a service,” IT Profes-
security/top-cloud-security-trends/ sional, vol. 22, pp. 24–31, 9 2020.
[16] B. F. Demissie and S. Ranise, “Assessing the effectiveness of the shared [28] “Azure.” [Online]. Available: https://docs.microsoft.com/en-us/azure
responsibility model for cloud databases: the case of google’s firebase,” [29] “Tracking configuration changes for your azure vm
in 2021 IEEE International Conference on Smart Data Services (SMDS). — azure blog and updates — microsoft azure.”
IEEE, Sep. 2021. [Online]. Available: https://azure.microsoft.com/en-us/blog/tracking-
[17] “System shock: How a cloud leak exposed accenture’s business — up- configuration-changes-for-your-azure-vm/
guard.” [Online]. Available: https://www.upguard.com/breaches/cloud- [30] “Build a ci/cd pipeline for api management — azure blog and updates
leak-accenture — microsoft azure.” [Online]. Available: https://azure.microsoft.com/en-
gb/blog/build-a-ci-cd-pipeline-for-api-management/
[18] M. Shachi, N. Shourav, A. S. Sajid Ahmed, A. Brishty, and N. Sakib,
“A survey on detection and prevention of sql and nosql injection
attack on server-side applications,” International Journal of Computer
Applications, vol. 183, pp. 1–7, 06 2021.

818 on August 31,2023 at 07:53:13 UTC from IEEE Xplore. Restrictions apply.
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded