• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Application Misconfiguration

Page history last edited by Robert Auger 14 years, 2 months ago

Project: WASC Threat Classification

Threat Type: Weakness

Reference ID: WASC-15

 

Application Misconfiguration

Application Misconfiguration attacks exploit configuration weaknesses found in web applications. Many applications come with unnecessary and unsafe features, such as debug and QA features, enabled by default. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.

 

Likewise, default installations may include well-known usernames and passwords, hard-coded backdoor accounts, special access mechanisms, and incorrect permissions set for files accessible through web servers. Default samples may be accessible in production environments. Application-based configuration files that are not properly locked down may reveal clear text connection strings to the database, and default settings in configuration files may not have been set with security in mind. All of these misconfigurations may lead to unauthorized access to sensitive information.

 

Example

The php.ini file includes the expose_php variable that is enabled by default, as follows:

 

expose_php = 'on'

 

This default setting causes the application server to reveal in the server header that a specific version of PHP is being used to process requests. The information revealed may be used to formulate an attack that is specific to the PHP version found.

 

References

"Internet Application Security", By Eran Reshef - Perfecto Technologies

[1] http://www.cgisecurity.com/lib/IAS.pdf

 

"A Guide to Building Secure Web Applications and Web Services", OWASP

[2] http://www.owasp.org/index.php/Category:OWASP_Guide_Project

 

"JavaScript Scanning and expose_php=On", PHP Security Blog

[3] http://blog.php-security.org/archives/55-JavaScript-Scanning-and-expose_phpOn.html

 

See also 'Information Leakage'

[4] http://projects.webappsec.org/Information-Leakage

Comments (0)

You don't have permission to comment on this page.