Categories: Application Security

OWASP Security Misconfiguration – Classic Example – 1

[adsenseyu2]

One of the OWASP top 10 application security vulnerability is Security Misconfiguration. One of the most common way to identify the security misconfiguration configuration is to check if error handling reveals stack traces or other informative error messages to users.

I tried and run an automated scanner on this website, http://www.davrohini.org/ and got various different URLs which revealed stack traces including some of the following:

However, the most dangerous one of the above is http://www.davrohini.org/user/left.jsp. Take a look at the screenshot below.

Security Misconfiguration Example – Showing compilation errors

 

Take a look at another diagram below that shows the information regarding the server Apache Tomcat 6.0.16.

Security Misconfiguration Example – Displays Server Information

 

Following is some of the information that can be retrieved by a hacker:

  • The application is written in Java/JSP
  • The application runs on Tomcat 6.0.16

Following may be one of the approach used for hacking the website:

  • One may find the security vulnerabilities associated with tomcat 6.0.16. This can be done by quick google search with following keyword phrase: “Apache Tomcat 6.0.16 vulnerabilities“. You could find specific tomcat vulnerabilities on this page.
    • Session hi-jacking
    • Elevated privileges: This belongs to E (Elevation of Privilege) of STRIDE model. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.
    • Information disclosure: This belongs to I (Information Disclosure) of STRIDE model. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers.
    • Data integrity: This belongs to T (Data tampering) of STRIDE model. Data tampering involves the malicious modification of data.
Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

Share
Published by
Ajitesh Kumar

Recent Posts

What is Data Strategy?

In today's data-driven business landscape, organizations are constantly seeking ways to harness the power of…

12 hours ago

Mathematics Topics for Machine Learning Beginners

In this blog, you would get to know the essential mathematical topics you need to…

4 weeks ago

Questions to Ask When Thinking Like a Product Leader

This blog represents a list of questions you can ask when thinking like a product…

1 month ago

Three Approaches to Creating AI Agents: Code Examples

AI agents are autonomous systems combining three core components: a reasoning engine (powered by LLM),…

1 month ago

What is Embodied AI? Explained with Examples

Artificial Intelligence (AI) has evolved significantly, from its early days of symbolic reasoning to the…

3 months ago

Retrieval Augmented Generation (RAG) & LLM: Examples

Last updated: 25th Jan, 2025 Have you ever wondered how to seamlessly integrate the vast…

6 months ago