What is Security Misconfiguration?¶
Improper server or web application configuration leading to various flaws:
- Debugging enabled
- Incorrect folder permissions
- Using default accounts or passwords
- Setup/Configuration pages enabled
All of your data could be stolen or modified slowly over time.
Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources.
Security Misconfiguration examples¶
Example #1: The app server admin console is automatically installed and not removed¶
Default accounts are not changed.
Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
Example #2: Directory listing is not disabled on your server¶
Attacker discovers they can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. They then find a serious access control flaw in your application.
Example #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws¶
Attackers love the extra information error messages provide.
Example #4: App server comes with sample applications that are not removed from your production server¶
These sample applications have well-known security flaws attackers can use to compromise your server.
How to prevent Security Misconfiguration¶
The principle of least privilege:
Everything off by default
- Disable administration interfaces
- Disable debugging
- Disable use of default accounts/passwords
- Configure server to prevent unauthorized access, directory listing, etc.
- Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches
How Hdiv protects against A5 risk¶
Risk Partially Covered
Hdiv flow control reinforces any existing ACL system, preventing an attempt to access invalid resources.
- Common application misconfigurations
- Spring escape
The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.