Security Misconfiguration is one of the top 10 OWASP risks for web
application that may give attackers unauthorized access to some system
data or functionality. Occasionally, such flaws result in a complete
system compromise.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Out of several vulnerability checks mentioned on OWASP Security Misconfiguration page, one of the check is following:
Is your error handling set up to prevent stack traces and other overly informative error messages from leaking?
Recently, while doing doing vulnerability assessment at random for some of the top financial websites, I came across this vulnerability:
At this stage, if a user enters the mobile number, he is proceeded with normal registration page.
However, now change the URL manually, and you get an error stacktrace such as following. Notice the change. I changed from execution=e2s1 to execution=1234.
Above stacktrace reveals so much information about the platform in general. Following are some key details:
Solution:
Application server logging shall be configured to show a generic error page against such stack traces.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Out of several vulnerability checks mentioned on OWASP Security Misconfiguration page, one of the check is following:
Is your error handling set up to prevent stack traces and other overly informative error messages from leaking?
Recently, while doing doing vulnerability assessment at random for some of the top financial websites, I came across this vulnerability:
At this stage, if a user enters the mobile number, he is proceeded with normal registration page.
However, now change the URL manually, and you get an error stacktrace such as following. Notice the change. I changed from execution=e2s1 to execution=1234.
Above stacktrace reveals so much information about the platform in general. Following are some key details:
- Application Server is Apache Tomcat 6.0.26
- Component model is based on spring framework
- Registration is using Spring Web flow
- Server side programming is based on Java, most probably.
Solution:
Application server logging shall be configured to show a generic error page against such stack traces.
Posts
No comments:
Post a Comment