Web Development Security Misconfiguration

Programming Assignments Help
Web Development: Security

Misconfiguration
Computer Programming Assignment Help
Augustine Barlow
2-25-2017
1.1 Description of the problem:
Security Misconfiguration
In this Security Misconfiguration Assignment, we will elaborate the security misconfiguration example.
Security Misconfiguration is one of the top risks for web application that may give attackers
unauthorized access to some system data or functionality which shall not be made available. Such flaws
may result in a complete system compromise and leak of sensitive data/information.
Security misconfiguration can happen at any level of an application stack, including platform, web
server, application server, framework, operating system, database management and custom code.
Developers and network administrators need to work together to ensure that the entire application
stack is configured properly and only authenticated users have access to the system. To get rid of this
situation, patch shall be applied on the entire stack as and when it is applicable, and only the required
ports or services shall be enabled. Attacker accesses default accounts, unused pages, unpatched flaws,
unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
1.2 Techniques Used to test

We have used JSP to demonstrate the security misconfiguration on website. We have used Java script
and URL paramters to achieve this.
With the help of below example, we can easily demonstrate how it works.
First we have created a web page to create users in JSP.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
After providing the required information to create user, this page is sending information to another
processing page in JSP which will eventually create the user in database. Below is the code screen shot
for the same.
1.3 Result
Below is the screen shot of user creation form in JSP. Once all the information filled by which is required
to create user in system, this information will be sent to the intermediate page to process the
information and submit the same to database.
Below screen shot is showing the error message on the screen. It may be used by attacker to get the
system configuration information.
1.4 Evaluation of the result

What happened in above is that, system is showing a message if there is any error in code and it is having
sufficient information which can be used by attacker to get the information of system. From above
screen shot it is clear that this system is running on Tomcat 5.0.28 and pages are created using JSP. Now
an attacker can easily get the information on security loopholes of Tomcat 5.0.28 and can have access
to the system.
Above can be used by an attacker to explore the security loopholes in various softwares/technology
stack as mentioned above to attack.
1.5 Security misconfiguration Defend Mechanism

Possible solution of above mentioned problem is that:
The complete application stack including web server, application server, database server, and
network shall be updated with latest security patches.
Application server logging shall be configured in such a manner that it displays a generic error
message instead of full error stack trace.
Also read: Web Design and Development Assignment
2.1 Description of the Problem: Improper Error

Handling
Applications frequently generate error messages and display them to users. Many times these error
messages are quite useful to attackers, as they reveal implementation details or information that is
useful in exploiting a vulnerability.
This can be broken down further into two basic categories from the web end user perspective.
An error message with too much detail (eg. stack trace, sql statement, etc) is splashed onto the
screen.
An error message for a specific function varies depending on minor changes to the input
enabling the user to determine exactly what error occurred (eg. a different error message for a
bad username and a good username/bad password this tells the attacker the username is
valid.)

We have used JSP to demonstrate the security misconfiguration on website. We have used Java script
and URL parameters to achieve this.
With the help of below example, we can easily demonstrate how it works.
First we have created a web page to create users in JSP.
After providing the required information to create user, this page is sending information to another
processing page in JSP which will eventually create the user in database. Below is the code screen shot
for the same.
2.3 Result
Below is the screen shot of user creation form in JSP. Once all the information filled by which is required
to create user in system, this information will be sent to the intermediate page to process the
information and submit the same to database.
Below screen shot is showing the error message on the screen. It may be used by attacker to get the
system configuration information.
Another example of improper error handling is user input validation, no error thrown on submitting it.

What happened in above is that, system is showing a message if there is any error in code and it is having
sufficient information which can be used by attacker to get the information of system. From above
screen shot it is clear that this system is running on Tomcat 5.0.28 and pages are created using JSP. Now
an attacker can easily get the information on security loopholes of Tomcat 5.0.28 and can have access
to the system.
Above can be used by an attacker to explore the security loopholes in various softwares/technology
stack as mentioned above to attack. Also as there is no input validation on user data input, attacker can
easily create garbage in the system by providing wrong inputs.
2.5 Improper Error Handling defend mechanism

Use a standard exception handling mechanism like J2EE standard technique which are quite simple to
implement: configure an exception handler in the web.xml configuration file of web server, which
assures that application properly handles all types of processing errors. All error messages sent to the
user should contain as little detail as necessary to explain what happened.
If the error was caused by unexpected and likely malicious input, it may be appropriate to send the user
no error message other than a simple could not process the request response.
The details of the error and its cause should be recorded in a detailed diagnostic log for later analysis.
Do not allow the application to throw errors up to the application container, generally the web
application server.
Be sure that the container is properly configured to handle errors if you choose to let any errors
propagate up to it.
This is how you should manage XSS Attack Assignment.
3.1 Description of the Problem: CSRF

One of the most prevalent attacks from online scammers and spammers is the CSRF (Cross Site Request
Fogery), where users are manipulated into providing sensitive information through a forged website.
Attackers typically warn the user that their account has been suspended, their password has changed
or that other vital information has been compromised. In these cases, the user is panicked and submits
their information through the forged site.
The attacker typically tricks the victim into
Changing password
Adding a Secondary Email ID
Various other Techniques
For them, the ideal situation involves a full-on CSRF strategy wherein weak websites and apps are used
as puppets to perform and gather specific details (such as entering a password, revealing answers to
security questions, inputting credit card details, bank account information, etc.)

We have used PHP, Apache and MySQL to demonstrate the SQL Injection attack on website. We have
used SQL queries to pass and achieve the desired result.
Lets consider the reset password example of any web application. This can send sensitive information
to malicious website if attacker is able to modify the website.[ Read about Database Security
Assignment Help]
Below is the code for index.html
Below is the code for Reset password page.
Below code is redirecting request to some other website where user information is being sent and it can
be used by the attacker to get access of the website. Once user clicked on reset button it got redirected
to the attacker website.
3.3 Result
Below is the screen shot of login page.
Below is the screen shot of reset password page.
Once user clicks on reset, it will be sending the information to suspicious website and all the information
will be with attacker.
When user click on the hyperlink given it will be redirected to below webpage.

What happened in above is that, attacker got the access of reset password page and modified it so that
when user tries to reset the password, it will retrieve the user credentials and can use those credentials
for further access to the system. Also if user click on home reference, it may pass on the stolen
credentials to the attackers website.
Also read: Moscow Analysis Assignment
3.5 CSRF defend mechanism

There are many suggested prevention measures that can be implemented to mitigate CSRF attacks but
these are not complete solutions and leave room for the attack to still work. For example:
The use of a secret cookie This will not work because all cookies related to the target website
will be submitted as usual as in a normal (legitimate) HTTP request.
Accept POST requests only This will not worl because attackers can deceive an end-user to
submit a forged POST request unknowingly.
URL Rewriting An incomplete solution since some session information is included or exposed
in the URL.
Below are some of suggested methods to avoid CSRF:
Use of Tokens
Log out from web applications when they have finished using them.
Use the web browser with safety that means making sure not to save any login credentials on
the web browser.
Read more about Computer Programming Assignment help
Programming Assignments Help is the best assignment help provider in the United Kingdom.
Our online assignment writing help UK is especially dedicated for the students studying in all UK
colleges and universities. Submit assignment to get the best quality assignment help.

Web Development Security Misconfiguration

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Web Development Security Misconfiguration

Hochgeladen von

Copyright:

Verfügbare Formate

Programming Assignments Help

Web Development: Security

1.2 Techniques Used to test

First we have created a web page to create users in JSP.

1.4 Evaluation of the result

1.5 Security misconfiguration Defend Mechanism

Also read: Web Design and Development Assignment

2.1 Description of the Problem: Improper Error

2.2 Techniques Used to test

First we have created a web page to create users in JSP.

2.4 Evaluation of the result

2.5 Improper Error Handling defend mechanism

This is how you should manage XSS Attack Assignment.

3.1 Description of the Problem: CSRF

The attacker typically tricks the victim into

3.2 Techniques Used to test

Below is the code for index.html

Below is the screen shot of reset password page.

3.4 Evaluation of the result

Also read: Moscow Analysis Assignment

3.5 CSRF defend mechanism

Below are some of suggested methods to avoid CSRF:

Read more about Computer Programming Assignment help

Das könnte Ihnen auch gefallen