Vulnerability Assessment of Default Configuration in Redis

Abstract

Redis, a widely used in-memory key–value database, powers caching, session handling, and analytics in modern web applications. Its default configuration prioritizes performance but neglects security, leaving deployments vulnerable to missing authentication, unencrypted communication, weak memory persistence limits, and exposed high-risk commands. We present a dual-mode Python scanner that unifies direct Redis probing with web-layer–mediated testing via Server-Side Request Forgery (SSRF) and Server-Side Command Injection (SSJI) to reveal misconfigurations even when Redis is not directly exposed. The design contributes a structured workflow that seamlessly switches between direct and indirect paths, a non-destructive commandexposure heuristic that infers whether dangerous commands are available or renamed and disabled using error-signature analysis and an extensible module set covering authentication, TLS, memory, persistence, and module loading with severity-ranked reporting. In a containerized testbed with TLS and non-TLS instances and a vulnerable PHP front end, the scanner detected seeded misconfigurations across seven categories with no false positives. The average per-module runtime was less than 6 seconds with mean CPU utilization below 1.2% and memory usage 0.36 – 0.42%. These results indicate that the approach is accurate, lightweight, and practical for security audit workflows.