Vulnerability Assessment of Default Configuration in Redis
1
Issued Date
2026-05-08
Resource Type
Scopus ID
2-s2.0-105039486914
Journal Title
Icsim 2026 Proceedings of 2026 the 9th International Conference on Software Engineering and Information Management
Start Page
72
End Page
76
Rights Holder(s)
SCOPUS
Bibliographic Citation
Icsim 2026 Proceedings of 2026 the 9th International Conference on Software Engineering and Information Management (2026) , 72-76
Suggested Citation
Phyo A., Rassameeroj I. Vulnerability Assessment of Default Configuration in Redis. Icsim 2026 Proceedings of 2026 the 9th International Conference on Software Engineering and Information Management (2026) , 72-76. 76. doi:10.1145/3796315.3796326 Retrieved from: https://repository.li.mahidol.ac.th/handle/123456789/116961
Title
Vulnerability Assessment of Default Configuration in Redis
Author(s)
Author's Affiliation
Corresponding Author(s)
Other Contributor(s)
Abstract
Redis, a widely used in-memory key–value database, powers caching, session handling, and analytics in modern web applications. Its default configuration prioritizes performance but neglects security, leaving deployments vulnerable to missing authentication, unencrypted communication, weak memory persistence limits, and exposed high-risk commands. We present a dual-mode Python scanner that unifies direct Redis probing with web-layer–mediated testing via Server-Side Request Forgery (SSRF) and Server-Side Command Injection (SSJI) to reveal misconfigurations even when Redis is not directly exposed. The design contributes a structured workflow that seamlessly switches between direct and indirect paths, a non-destructive commandexposure heuristic that infers whether dangerous commands are available or renamed and disabled using error-signature analysis and an extensible module set covering authentication, TLS, memory, persistence, and module loading with severity-ranked reporting. In a containerized testbed with TLS and non-TLS instances and a vulnerable PHP front end, the scanner detected seeded misconfigurations across seven categories with no false positives. The average per-module runtime was less than 6 seconds with mean CPU utilization below 1.2% and memory usage 0.36 – 0.42%. These results indicate that the approach is accurate, lightweight, and practical for security audit workflows.