Mitigation of Web Vulnerabilities Arising from Directory Brute-Forcing and Exposed Development Artifact: A Qualitative Study

Authors

  • Aminu Muhammad Auwal Faculty of Natural Sciences, University of Jos, Plateau State, Nigeria

DOI:

https://doi.org/10.70112/ajist-2025.15.1.4332

Keywords:

Web Application Security, Dev Sec Ops, Directory Brute-Forcing, Deployment Pipelines, Vulnerability Mitigation

Abstract

Web applications increasingly face threats not only from sophisticated exploits but also from basic oversights such as misconfigured directories and exposed development artifacts. This study explores the awareness and mitigation strategies of developers, Dev Ops engineers, and system administrators regarding vulnerabilities arising from directory brute-forcing and the exposure of sensitive files such as .git/, .env, and .bash_history. Using a qualitative approach, data were collected through semi-structured interviews with 11 IT professionals across different sectors in Nigeria, where the rise of small- and medium-scale web deployments has amplified the security stakes. Findings reveal a concerning inconsistency in mitigation strategies, even among technically proficient participants. While some employ directory restrictions and CI/CD security checks, others rely on ad hoc, manual practices. Most participants were aware of the risks posed by exposed artifacts, yet only a few incorporated automated tools or vulnerability scanners into their deployment pipelines. Notably, a gap persists between theoretical knowledge and operational execution, leaving systems vulnerable to reconnaissance and chained attacks. This study highlights the need for stronger Dev Sec Ops integration, improved developer hygiene practices, and automated security enforcement within web deployment workflows. The results underscore a critical call to action for organizations and individual professionals to revisit their deployment pipelines and invest in proactive security measures that go beyond basic configuration.

References

[1] Bach-Nutman, M. (2020). Understanding the top 10 OWASP vulnerabilities. arXiv. https://doi.org/10.48550/arxiv.2012.09960

[2] Ezenwoye, O., & Liu, Y. (2022). Web application weakness ontology based on vulnerability data. arXiv. https://doi.org/10.48550/arxiv.2209.08067

[3] Cheah, C. S., & Selvarajah, V. (2021). A review of common web application breaching techniques (SQLI, XSS, CSRF). Atlantis Highlights in Computer Sciences. https://doi.org/10.2991/ahis.k.210913.068

[4] Suguna, N. (2014). Hunting pernicious attacks in web applications with X Prober. American Journal of Applied Sciences, 11(7), 1164-1171. https://doi.org/10.3844/ajassp.2014.1164.1171

[5] Zhang, B., Li, J., Ren, J., & Huang, G. (2021). Efficiency and effectiveness of web application vulnerability detection approaches: A review. ACM Computing Surveys, 54. https://doi.org/10.1145/3474553

[6] Singh, N., Gupta, P., Singh, V., & Ranjan, R. (2021). Attacks on vulnerable web applications. In 2021 International Conference on Intelligent Technologies (CONIT) (pp. 1-5). https://doi.org/10.1109/CONIT51480.2021.9498396

[7] Dommeti, D., & Voola, P. (2023). Identifying and mitigating common web application vulnerabilities. South Asian Journal of Engineering and Technology. https://doi.org/10.26524/sajet. 2023.13.9

[8] Kalim, A., Jha, C., Singh, D., Tomar, D., & Tomar, D. (2020). A framework for web application vulnerability detection. International Journal of Engineering and Advanced Technology. https://doi.org/10.35940/ijeat.c4778.029320

[9] Farras, N., Loderick, J., Saputri, H., & Sari, A. (2024). Exploring penetration testing: A comparative analysis of brute force directory tools in vulnerability analysis phase. In 2024 2nd International Conference on Technology Innovation and Its Applications (ICTIIA) (pp. 1-6). https://doi.org/10.1109/ICTIIA61827.2024. 10761451

[10] Antonelli, D., Cascella, R., Schiano, A., Perrone, G., & Romano, S. P. (2024). ‘Dirclustering’: A semantic clustering approach to optimize website structure discovery during penetration testing. Journal of Computer Virology and Hacking Techniques, 20(4), 565-577. https://doi.org/10.1007/s11416-024-00512-6

[11] Aggarwal, V., Kaur, D., Mittal, S., Prasad, T. J. S., Batra, D., & Garg, A. (2023). A comparative study of directory fuzzing tools. In 2023 International Conference on Circuit Power and Computing Technologies (ICCPCT) (pp. 1368-1374). https://doi.org/10.1109/ ICCPCT58313.2023.10245217

[12] Antonelli, D., Cascella, R., Perrone, G., Romano, S., & Schiano, A. (2021). Leveraging AI to optimize website structure discovery during penetration testing. arXiv preprint. https://doi.org/10.1007/s11416-024-00512-6

[13] Castagnaro, A., Conti, M., & Pajola, L. (2024). Offensive AI: Enhancing directory brute-forcing attack with the use of language models. arXiv. https://doi.org/10.48550/arxiv.2404.14138

[14] Dietrich, C., Krombholz, K., Borgolte, K., & Fiebig, T. (2018). Investigating system operators’ perspective on security misconfigurations. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 1272-1289). https://doi.org/10.1145/3243734.3243794

[15] Hasan, M., Rozony, F. Z., Kamruzzaman, M., & Uddin, M. K. S. (2024). Common cybersecurity vulnerabilities: Software bugs, weak passwords, misconfigurations, social engineering. Deleted Journal, 3(4), 42-57. https://doi.org/10.62304/jieet.v3i04.193

[16] Basak, S. K., Neil, L., Reaves, B., & Williams, L. (2022). What are the practices for secret management in software artifacts? SAGE Journals, 69-76. https://doi.org/10.1109/secdev53368.2022. 00026

[17] Akbar, M., Rafi, S., Hyrynsalmi, S., & Khan, A. (2024). Towards people maturity for secure development and operations: A vision. In Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering. https://doi.org/10.1145/ 3661167.3661238

[18] Ramaj, X., Sánchez-Gordón, M., Palacios, R., & Gkioulos, V. (2024). Training and security awareness under the lens of practitioners: A DevSecOps perspective towards risk management. In Lecture Notes in Computer Science. Springer. https://doi.org/10.1007/978-3-031-61382-1_6

[19] Rajapakse, R., Zahedi, M., Babar, M., & Shen, H. (2021). Challenges and solutions when adopting DevSecOps: A systematic review. Information and Software Technology, 139, Article 106700. https://doi.org/10.1016/j.infsof.2021.106700

[20] Naidoo, R., & Möller, N. (2022). Building software applications securely with DevSecOps: A socio-technical perspective. European Conference on Cyber Warfare and Security. https://doi.org/10.34190/eccws.21.1.295

[21] Tomas, N., Li, J., & Huang, H. (2019). An empirical study on culture, automation, measurement, and sharing of DevSecOps. In 2019 International Conference on Cyber Security and Protection of Digital Services (pp. 1-8). https://doi.org/10.1109/CyberSec PODS.2019.8884935

[22] Bararia, A., & Choudhary, V. (2023). Systematic review of common web-application vulnerabilities. International Journal of Scientific Research in Engineering and Management. https://doi.org/10.55041/ijsrem17487

[23] Kerr-Smith, T., Tirumala, S., & Andrews, M. (2024). Assessing web application security through vulnerabilities in programming languages and environments. In CITRENZ 2023 Conference, Auckland (pp. 27-29). https://doi.org/10.34074/proc.240109

[24] Lombardi, F., & Fanton, A. (2023). From DevOps to DevSecOps is not enough: Cyber DevOps-An extreme shifting-left architecture to bring cybersecurity within software security lifecycle pipeline. Software Quality Journal, 31, 619-654. https://doi.org/10.1007/s 11219-023-09619-3

[25] Fadlalla, F., & Elshoush, H. (2023). Input validation vulnerabilities in web applications: Systematic review, classification, and analysis of the current state-of-the-art. IEEE Access, 11, 40128-40161. https://doi.org/10.1109/ACCESS.2023.3266385

[26] Braun, V., & Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77-101. https://doi.org/10.1191/1478088706qp063oa

[27] Jacques, S., & Wright, R. (2008). Intimacy with outlaws: The role of relational distance in recruiting, paying, and interviewing underworld research participants. Journal of Research in Crime and Delinquency, 45(1), 22-38. https://doi.org/10.1177/002242 7807309439

[28] Yasar, H. (2018). Experiment: Sizing exposed credentials in GitHub public repositories for CI/CD. In 2018 IEEE Cybersecurity Development (SecDev) (p. 143). https://doi.org/10.1109/SecDev. 2018.00039

[29] Malatji, M. (2022). Industrial control systems cybersecurity: Back to basic cyber hygiene practices. In 2022 International Conference on Electrical, Computer and Energy Technologies (ICECET) (pp. 1-7). https://doi.org/10.1109/ICECET55527.2022.9872810

[30] Yaseen, K. A. Y. (2022). Importance of cybersecurity in the higher education sector 2022. Asian Journal of Computer Science and Technology, 11(2), 20-24. https://doi.org/10.51983/ajcst-2022.11.2.3448

[31] Chen, Y., Zahedi, F. M., Abbasi, A., & Dobolyi, D. (2020). Trust calibration of automated security IT artifacts: A multi-domain study of phishing-website detection tools. Information & Management, 58(1), Article 103394. https://doi.org/10.1016/j.im. 2020.103394

[32]Tilbury, J., & Flowerday, S. (2024). Automation bias and complacency in security operation centers. Computers, 13(7), Article 165. https://doi.org/10.3390/computers13070165

[33]Islam, M. S., Sajjad, M., Hasan, M. M., & Mazumder, M. S. I.(2023). Phishing attack detecting system using DNS and IP filtering. Asian Journal of Computer Science and Technology,12(1), 16-20. https://doi.org/10.51983/ajcst-2023.12.1.3552

[34]Khan, M. S., Khan, A. W., Khan, F., Khan, M. A., & Whangbo, T.K.(2022). Critical challenges to adopt DevOps culture in software organizations: A systematic review. IEEE Access, 10, 14339-14349. https://doi.org/10.1109/access.2022.3145970

[35]Khattak, K., Qayyum, F., Naqvi, S. S. A., Mehmood, A., & Kim, J.(2023). A systematic framework for addressing critical challengesin adopting DevOps culture in software development: A PLS-SEM perspective. IEEE Access, 11, 120137-120156. https://doi.org/10. 1109/access.2023.3325325

[36]Ghobadi, S., & Mathiassen, L. (2014). Perceived barriers to effective knowledge sharing in agile software teams. Information Systems Journal, 26(2), 95-125. https://doi.org/10.1111/isj.12053

[37]Blaise, O. O., Aaron, I., Alfred, U., & Amusa, A. (2024).Evaluating the ethical frameworks of information security professionals: A comparative analysis. Asian Journal of Computer Science and Technology, 13(2), 61-66. https://doi.org/10.70112/ ajcst-2024.13.2.4289

[38]Ravichandran, S., & Rao, K. L. N. (2022). Design and development of an advancing web information stockpiling for engraved ontology in user contours. Asian Journal of Computer Science and Technology, 11(2), 11-15. https://doi.org/10.51983/ ajcst-2022.11.2.3379

[39]Auwal, A. M., & Lazarus, S. (2024). Sociological and criminological research of victimization issues: Preliminary stage and new sphere of cybercrime categorization. Journal of Digital Technology & Law, 2(4), 915-942. https://doi.org/10.21202/jdtl. 2024.44

Downloads

Published

21-03-2025

How to Cite

Auwal, A. M. (2025). Mitigation of Web Vulnerabilities Arising from Directory Brute-Forcing and Exposed Development Artifact: A Qualitative Study. Asian Journal of Information Science and Technology, 15(1), 44–53. https://doi.org/10.70112/ajist-2025.15.1.4332

Issue

Vol. 15 No. 1 (2025): January-June 2025

Section

Articles

License

Copyright (c) 2025 Centre for Research and Innovation

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Similar Articles

<< < 3 4 5 6 7 8 9 > >> 

You may also start an advanced similarity search for this article.