Security Misconfiguration
Description
Responsibly managing Web application security often involves the expertise of both developers and administrators and require members from both sides of the project to properly ensure the security of a site’s application. This is the case with respect to configuration. The Secure Web Applications Group (SWAG) is a forum where developers and administrators can get together monthly to discuss such issues.
Examples
Scenario #1
Your application relies on a powerful framework like Struts or Spring. XSS flaws are found in these framework components you rely on. An update is released to fix these flaws but you don’t update your libraries. Until you do, attackers can easily find and exploit these flaws in your app.
Scenario #2
The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
Scenario #3
Directory listing is not disabled on your server. Attacker discovers she can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which she reverse engineers to get all your custom code. She then finds a serious access control flaw in your application.
Scenario #4
Application server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide.
Scenario #5
You manage a Wordpress site. Some areas of the site are password protected. You have configured Wordpress to use SSL when users access the login pages. An upgrade is available and you apply it not realizing the upgrade erased the settings that require SSL on the login pages. Submitted passwords are now sent in plain text across the network.
Mitigation
The primary recommendations for developers are to establish all of the following:
- Development and production environments should be configured identically. This process should be automated to minimize the effort required to setup a new secure environment.
- Properly manage file permissions - websites should insure that all directory and file permissions are set to the least permissions necessary
- Consider running scans and doing audits periodically to help detect future mis-configurations or missing patches. The Enterprise security Group offers a free web application scanning service. Click here for more information.
- Update code libraries
- Web based database tools (e.g. phpmyadmin) are often installed incorrectly. If your MySQL database is provided by UIT use our database management tool.
- Content Management Systems (cms) are also problematic when it comes to security. (See our recommendations for securing Wordpress)
- Do not store application configuration files within the web root.