Tag Archives: security misconfiguration
Security Misconfiguration Example – Upwork
In this post, you will see an example of security misconfiguration which is one of the top 10 security vulnerabilities as per OWASP top 10 security vulnerabilities. Here is what security misconfiguration means? Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system. In this post, you will see the example of unauthorized knowledge of the system. Security Misconfiguration Example This morning, I was checking the Upwork.com when I saw this message when I tried to login. Take a look at exceptions and stack trace. Using the above, I could extract some …
OWASP Security Misconfiguration Example – Infosys Career Website
The article presents an example of “Security Misconfiguration” vulnerability that was found on Infosys career website. It could be noted that security misconfiguration is considered as one of the OWASP top 10 security vulnerabilities. The vulnerability was found with Careers web application of Infosys, which can be accessed at https://careers.infosys.com/. As you access the career site link, you would see the title icon as “SAP”. This does suggest that Infosys careers web application is created on top of SAP career module. The way I found that is following: Go to job opportunities page. Click on “Register”. You would land on the registration page with following link: https://careers.infosys.com/sap/bc/webdynpro/sap/hrrcf_a_candidate_registration Go ahead and strip the hrrcf_a_candidate_registration from …
OWASP Security Misconfiguration Example from PayPal.com
The article represents some of the examples of OWASP security misconfiguration vulnerabilities that I could figure out by spending sometime on the Paypal.com website. The article is just an educational one and is not written with any other intention. If you are from Paypal reading this, please get it right. Accessing PayPalObjects.com with URL, https://www.paypalobjects.com/ displays the fact that it is hosted on Apache Server. Take a look at the picture below. It looks like paypalobjects.com server hosts static resources such as CSS, JS and images file as I could figure out several of such resources link with base URL as paypalobjects.com. Password Recovery Module seems to be using Spring Webflow …
OWASP Security Misconfiguration – Classic Example – 1
[adsenseyu2] One of the OWASP top 10 application security vulnerability is Security Misconfiguration. One of the most common way to identify the security misconfiguration configuration is to check if error handling reveals stack traces or other informative error messages to users. I tried and run an automated scanner on this website, http://www.davrohini.org/ and got various different URLs which revealed stack traces including some of the following: http://www.davrohini.org/user/users.jsp http://www.davrohini.org/user/snews.jsp http://www.davrohini.org/user/left.jsp However, the most dangerous one of the above is http://www.davrohini.org/user/left.jsp. Take a look at the screenshot below. Security Misconfiguration Example – Showing compilation errors Take a look at another diagram below that shows the information regarding the server Apache Tomcat …
I found it very helpful. However the differences are not too understandable for me