Beruflich Dokumente
Kultur Dokumente
Augustine Barlow
2-25-2017
1.1 Description of the problem:
Security Misconfiguration
In this Security Misconfiguration Assignment, we will elaborate the security misconfiguration example.
Security Misconfiguration is one of the top risks for web application that may give attackers
unauthorized access to some system data or functionality which shall not be made available. Such flaws
may result in a complete system compromise and leak of sensitive data/information.
Security misconfiguration can happen at any level of an application stack, including platform, web
server, application server, framework, operating system, database management and custom code.
Developers and network administrators need to work together to ensure that the entire application
stack is configured properly and only authenticated users have access to the system. To get rid of this
situation, patch shall be applied on the entire stack as and when it is applicable, and only the required
ports or services shall be enabled. Attacker accesses default accounts, unused pages, unpatched flaws,
unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
With the help of below example, we can easily demonstrate how it works.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
After providing the required information to create user, this page is sending information to another
processing page in JSP which will eventually create the user in database. Below is the code screen shot
for the same.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
1.3 Result
Below is the screen shot of user creation form in JSP. Once all the information filled by which is required
to create user in system, this information will be sent to the intermediate page to process the
information and submit the same to database.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
Below screen shot is showing the error message on the screen. It may be used by attacker to get the
system configuration information.
Above can be used by an attacker to explore the security loopholes in various softwares/technology
stack as mentioned above to attack.
The complete application stack including web server, application server, database server, and
network shall be updated with latest security patches.
Application server logging shall be configured in such a manner that it displays a generic error
message instead of full error stack trace.
This can be broken down further into two basic categories from the web end user perspective.
An error message with too much detail (eg. stack trace, sql statement, etc) is splashed onto the
screen.
An error message for a specific function varies depending on minor changes to the input
enabling the user to determine exactly what error occurred (eg. a different error message for a
bad username and a good username/bad password this tells the attacker the username is
valid.)
With the help of below example, we can easily demonstrate how it works.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
After providing the required information to create user, this page is sending information to another
processing page in JSP which will eventually create the user in database. Below is the code screen shot
for the same.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
2.3 Result
Below is the screen shot of user creation form in JSP. Once all the information filled by which is required
to create user in system, this information will be sent to the intermediate page to process the
information and submit the same to database.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
Below screen shot is showing the error message on the screen. It may be used by attacker to get the
system configuration information.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
Another example of improper error handling is user input validation, no error thrown on submitting it.
Above can be used by an attacker to explore the security loopholes in various softwares/technology
stack as mentioned above to attack. Also as there is no input validation on user data input, attacker can
easily create garbage in the system by providing wrong inputs.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
If the error was caused by unexpected and likely malicious input, it may be appropriate to send the user
no error message other than a simple could not process the request response.
The details of the error and its cause should be recorded in a detailed diagnostic log for later analysis.
Do not allow the application to throw errors up to the application container, generally the web
application server.
Be sure that the container is properly configured to handle errors if you choose to let any errors
propagate up to it.
Changing password
Adding a Secondary Email ID
Various other Techniques
For them, the ideal situation involves a full-on CSRF strategy wherein weak websites and apps are used
as puppets to perform and gather specific details (such as entering a password, revealing answers to
security questions, inputting credit card details, bank account information, etc.)
Lets consider the reset password example of any web application. This can send sensitive information
to malicious website if attacker is able to modify the website.[ Read about Database Security
Assignment Help]
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
Below is the code for Reset password page.
Below code is redirecting request to some other website where user information is being sent and it can
be used by the attacker to get access of the website. Once user clicked on reset button it got redirected
to the attacker website.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
3.3 Result
Below is the screen shot of login page.
Once user clicks on reset, it will be sending the information to suspicious website and all the information
will be with attacker.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
When user click on the hyperlink given it will be redirected to below webpage.
The use of a secret cookie This will not work because all cookies related to the target website
will be submitted as usual as in a normal (legitimate) HTTP request.
Accept POST requests only This will not worl because attackers can deceive an end-user to
submit a forged POST request unknowingly.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net
URL Rewriting An incomplete solution since some session information is included or exposed
in the URL.
Use of Tokens
Log out from web applications when they have finished using them.
Use the web browser with safety that means making sure not to save any login credentials on
the web browser.
Programming Assignments Help is the best assignment help provider in the United Kingdom.
Our online assignment writing help UK is especially dedicated for the students studying in all UK
colleges and universities. Submit assignment to get the best quality assignment help.
www.programmingassignmentshelp.net help@programmingassignmentshelp.net