Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date.
Example
Below are some of the classic examples of security misconfiguration :- If Directory listing is not disabled on the server and if attacker discovers the same then the attacker can simply list directories to find any file and execute it. It is also possible to get the actual code base which contains all your custom code and then to find a serious flaws in the application.
- App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers grab those extra information that the error messages provides which is enough for them to penetrate.
- App servers usually comes with sample apps that are NOT well secured. If not removed from production server would result in compromising your server.
Hands ON
1. Launch Webgoat and navigate to Insecure configuration section and let us try to solve that challenge. Snapshot of the same is provided below:
2. We can try out as many options as we can think of. All we
need to find the URL of config file and we all know developers follow
kind of naming convention for config files. It can be anything that is
listed below. It is usually done by BRUTE force technique.- web.config
- config
- appname.config
- conf
Preventing Mechanisms
All environments such Development, QA, and production environments should all be configured identically using different passwords used in each environment that cannot be hacked easily.It can also minimize the possiblity of this attack by running automated scans and doing audits periodically .
I must thank you for the efforts you have put in penning this site. I am hoping to check out the same high-grade content by you later on as well. Keep up the good work
RépondreSupprimerSelenium Training in Chennai | Certification | Online Course Training | Selenium Training in Bangalore | Certification | Online Course Training | Selenium Training in Hyderabad | Certification | Online Course Training | Selenium Training in Coimbatore | Certification | Online Course Training | Selenium Training in Online | Certification | Online Course Training
nice
RépondreSupprimerSoftware Testing Training in Chennai | Certification | Online Courses
Software Testing Training in Chennai | Certification | Online Training Course | Software Testing Training in Bangalore | Certification | Online Training Course | Software Testing Training in Hyderabad | Certification | Online Training Course | Software Testing Training in Coimbatore | Certification | Online Training Course | Software Testing Training in Online | Certification | Online Training Course