CASA: a comprehensive automatic web servers audit

Abstract

Web servers play a crucial role in web technology. Insufficient protection can lead to serious risks, such as sensitive data exposure. To reduce risk of successful attacks, regular web server configuration audits are conducted. However, manual auditing is often tedious and error-prone, as it requires running commands to check configurations. To enhance this process, we introduce CASA, an automated audit tool designed for four widely used web servers: Nginx, Apache HTTP, Apache Tomcat, and Microsoft IIS. CASA evaluates configurations against industry standard CIS benchmarks, identifies non-compliant settings, and generates HTML audit reports. Our analysis shows that CASA significantly enhances automation in security auditing. We validate its effectiveness by comparing results with manual audits and analysing default and publicly available configurations from GitHub. The findings indicate low compliance with security benchmarks, with less than half of configurations meeting recommended standards, exposing critical risks in unmodified deployments.