Security Misconfiguration

These vulnerabilities arise when the security configuration on the application has not been kept up-to-date. The attacker can access default accounts, unused pages, unpatched OS flaws, unprotected directories or files etc. to gain server-side information. These vulnerabilities may prevail anywhere across the application stack – and could be in such places as the load balancer, webserver, application server, client slide custom scripts or database. Most of these are common errors and these are the preferred attack vectors that attackers can exploit.

Some of the sample attack scenarios of these attacks that are referenced in OWASP are:

Scenario #1: The admin console of the app server is automatically installed and not removed. Default accounts aren’t changed. The attacker discovers where the standard admin pages are on your server, logs in with default passwords, and takes over.

Scenario #2: Directory listing is not disabled on your server. Attackers can simply list directories to find any file. They can, for example, find and download all your compiled Java classes, which can be decompiled and reverse-engineered to get all your custom code. By doing so, they can find any serious access control flaws in your application.

Scenario #3: The app server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love all the extra information that error messages provide.

Scenario #4: The app server comes with sample applications that are not removed from your production server. These sample applications have well-known security flaws that attackers can then use to compromise your server. Prevention Measures

Ensure that all components such as the OS, webserver, app server, load balancer, database etc. have the latest security updates.
Disable all default accounts.
Set the server-side directory permissions to least necessary that is required to run the application.
Secure the log files and ensure periodic audits.
Deploy the web application with only those modules that are actually required.
Ensure that you have authorization controls on sensitive modules.
Secure by an Access Control List (by IP addresses) for restricted access on the server file system.
Perform a periodic web-vulnerability scan.

results matching ""

    No results matching ""