Project: WASC Threat Classification
Threat Type: Weakness
Reference ID: WASC-15
Application Misconfiguration
Application Misconfiguration attacks exploit configuration weaknesses found in web applications. Many applications come with unnecessary and unsafe features, such as debug and QA features, enabled by default. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.
Likewise, default installations may include well-known usernames and passwords, hard-coded backdoor accounts, special access mechanisms, and incorrect permissions set for files accessible through web servers. Default samples may be accessible in production environments. Application-based configuration files that are not properly locked down may reveal clear text connection strings to the database, and default settings in configuration files may not have been set with security in mind. All of these misconfigurations may lead to unauthorized access to sensitive information.
Example
The php.ini file includes the expose_php variable that is enabled by default, as follows:
expose_php = 'on'
This default setting causes the application server to reveal in the server header that a specific version of PHP is being used to process requests. The information revealed may be used to formulate an attack that is specific to the PHP version found.
References
"Internet Application Security", By Eran Reshef - Perfecto Technologies
[1] http://www.cgisecurity.com/lib/IAS.pdf
"A Guide to Building Secure Web Applications and Web Services", OWASP
[2] http://www.owasp.org/index.php/Category:OWASP_Guide_Project
"JavaScript Scanning and expose_php=On", PHP Security Blog
[3] http://blog.php-security.org/archives/55-JavaScript-Scanning-and-expose_phpOn.html
See also 'Information Leakage'
[4] http://projects.webappsec.org/Information-Leakage
Comments (0)
You don't have permission to comment on this page.