February 17, 2019

OWASP Security Misconfiguration Attacks

 source: labs.ripe.net

Security misconfiguration mainly comes with the application’s default settings most of the time and this can happen at any level of the application stack including the web server, application server, database server, frameworks.

Many servers come with unnecessary default files, applications, configuration files, scripts, plugins, and web pages or some default setup. Such flaws give the attacker unauthorized access to the system data like credentials, system data, gain privilege using default username and password or directory access to get the sensitive file details. We can have some examples.

1)      Directory listing is not disabled in the Server
-          That misconfiguration let the attacker discover any files within the system directory. The attacker may find java classes, which can be downloaded and decompiled or reverse engineered to get the source code of the application.
2)      The application server admin panel is automatically installed and not removed.
-          The attacker can easily access the console panel using default configuration path and also he can gain access to the server using the default credentials.
3)      Application server comes with a bunch of sample application and is not removed.
-          Attacker mainly checks well-known security flaws inside those sample files. Because they use it to compromise the server.

We can understand the vulnerability practically by attempting directory traversal in Mutillidae web application.

 So let’s launch the web application and configure burp suit with your browser proxy. Make sure the intercept button is turned off.

After that send a request to visit the Home page of the Mutillidae web application from your browser.

After the page is loaded, now come to burp suit Target Tab and then click on Site Map.

Based on the above screenshot we can get the directory hierarchy of Mutillidae web application. Now let’s find some interesting branch. In this case, I am going to explore ‘includes’ directory.
Right click on the include folder and click on ‘spider this branch’.

Return to the browser and put includes at the end of the URL.


Bingo!! Here we got the database-config file. Reading this we can have the Database URL and also the DB credentials.

You can explore other directories and links after spidering and please let me know if you have any further doubts on this in the comment section below. 

Thank you and happy hacking!!


Post a Comment