Security Misconfiguration Example – Upwork

OWASP Security Misconfiguration Example

In this post, you will see an example of security misconfiguration which is one of the top 10 security vulnerabilities as per OWASP top 10 security vulnerabilities.

Here is what security misconfiguration means?

Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system. In this post, you will see the example of unauthorized knowledge of the system.

Security Misconfiguration Example

This morning, I was checking the Upwork.com when I saw this message when I tried to login. Take a look at exceptions and stack trace.

Fig 1. Stacktrace of Exceptions

Using the above, I could extract some of the following information in relation to software stack used for building Upwork and design one or more attack vector for hacking purpose.

Java is used in the backend
Jetty server looks to be used
Netflix Hystrix is used for latency and fault tolerance
Usage of some of the following jar files
- httpcore.jar
- httpclient.jar
- dropwizard-client.jar
- jersey-client
- guice-servlet

Author
Recent Posts

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin.
Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

Latest posts by Ajitesh Kumar (see all)

Agentic Reasoning Design Patterns in AI: Examples - October 18, 2024
LLMs for Adaptive Learning & Personalized Education - October 8, 2024
Sparse Mixture of Experts (MoE) Models: Examples - October 6, 2024

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.