Categories: Application Security

OWASP Security Misconfiguration – Classic Example – 1

security misconfiguration

[adsenseyu2]

One of the OWASP top 10 application security vulnerability is Security Misconfiguration. One of the most common way to identify the security misconfiguration configuration is to check if error handling reveals stack traces or other informative error messages to users.

I tried and run an automated scanner on this website, http://www.davrohini.org/ and got various different URLs which revealed stack traces including some of the following:

However, the most dangerous one of the above is http://www.davrohini.org/user/left.jsp. Take a look at the screenshot below.

Security Misconfiguration Example – Showing compilation errors

 

Take a look at another diagram below that shows the information regarding the server Apache Tomcat 6.0.16.

Security Misconfiguration Example – Displays Server Information

 

Following is some of the information that can be retrieved by a hacker:

  • The application is written in Java/JSP
  • The application runs on Tomcat 6.0.16

Following may be one of the approach used for hacking the website:

  • One may find the security vulnerabilities associated with tomcat 6.0.16. This can be done by quick google search with following keyword phrase: “Apache Tomcat 6.0.16 vulnerabilities“. You could find specific tomcat vulnerabilities on this page.
    • Session hi-jacking
    • Elevated privileges: This belongs to E (Elevation of Privilege) of STRIDE model. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.
    • Information disclosure: This belongs to I (Information Disclosure) of STRIDE model. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers.
    • Data integrity: This belongs to T (Data tampering) of STRIDE model. Data tampering involves the malicious modification of data.
Latest posts by Ajitesh Kumar (see all)
Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

Leave a Comment
Share
Published by
Ajitesh Kumar
Tags: owaspsecurity misconfiguration
11 years ago

Recent Posts

What are AI Agents? How do they work?

Artificial Intelligence (AI) agents have started becoming an integral part of our lives. Imagine asking…

2 weeks ago

Agentic AI Design Patterns Examples

In the ever-evolving landscape of agentic AI workflows and applications, understanding and leveraging design patterns…

2 weeks ago

List of Agentic AI Resources, Papers, Courses

In this blog, I aim to provide a comprehensive list of valuable resources for learning…

2 weeks ago

Understanding FAR, FRR, and EER in Auth Systems

Have you ever wondered how systems determine whether to grant or deny access, and how…

2 weeks ago

Top 10 Gartner Technology Trends for 2025

What revolutionary technologies and industries will define the future of business in 2025? As we…

2 weeks ago

OpenAI GPT Models in 2024: What’s in it for Data Scientists

For data scientists and machine learning researchers, 2024 has been a landmark year in AI…

3 weeks ago