The article presents an example of “Security Misconfiguration” vulnerability that was found on Infosys career website. It could be noted that security misconfiguration is considered as one of the OWASP top 10 security vulnerabilities.
The vulnerability was found with Careers web application of Infosys, which can be accessed at https://careers.infosys.com/.
- As you access the career site link, you would see the title icon as “SAP”. This does suggest that Infosys careers web application is created on top of SAP career module. The way I found that is following:
- Go to job opportunities page. Click on “Register”.
- You would land on the registration page with following link: https://careers.infosys.com/sap/bc/webdynpro/sap/hrrcf_a_candidate_registration
- Go ahead and strip the hrrcf_a_candidate_registration from above link and access the following link and what appears is a SAP Netweaver page:https://careers.infosys.com/sap/bc/webdynpro/sap/
- So far so good. It may be argued that it is OK to use SAP career module.
- Get registered and login.
- And, the page URL that you would find is https://careers.infosys.com/sap/bc/webdynpro/sap/hrrcf_a_startpage_ext_cand.
- Strip hrrcf_a_startpage_ext_cand from above URL and access the link: https://careers.infosys.com/sap/bc/webdynpro/sap
- And, you access the page with errors and exceptions. 🙂
- This can be sighted as the classic example of “Security Misconfiguration” as one could read and figure out several things about application and server configurations and plan appropriate measures to break the entry into the system.
So, how to fix it?
Following are different possible solutions to fix this vulnerability:
- Provide an error page and do the appropriate configuration such that the error page is displayed if someone tries access unauthorized page like above.
- Create a set of thin UI pages and integrate it with SAP Netweaver back end using REST. This way, one will never know about SAP backend at all.
- Create a web MVC application and integrate it with SAP Netweaver the backend.
[adsenseyu1]
I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin.
Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.
Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.
Latest posts by Ajitesh Kumar (see all)
- Agentic Reasoning Design Patterns in AI: Examples - October 18, 2024
- LLMs for Adaptive Learning & Personalized Education - October 8, 2024
- Sparse Mixture of Experts (MoE) Models: Examples - October 6, 2024
I found it very helpful. However the differences are not too understandable for me