Java Reference
In-Depth Information
5.4.1.2 Development Vulnerabilities
Development vulnerability
is deined as vulnerability resulting from an error made in the software
or hardware implementation of a satisfactory design. Development vulnerabilities are also termed
implementation vulnerabilities
. hese vulnerabilities stem from lawed coding practices. hese vul-
nerabilities are not as hard to ix as design vulnerabilities, but one would ind that development
vulnerabilities are larger in number, as compared to design vulnerabilities, naturally because the
human-error element is greater during the coding process than during the design process. To illus-
trate this point further, let us assume that the developer of a particular Web application has created
a page for the application administrator. he page allows the administrator to perform certain
administrative tasks in the Web application. he design speciication, in this case, requires only
individuals with administrative credentials to perform the action speciied. However, if the devel-
oper designs this particular page to be accessed, without requiring authentication information
for the individuals, then it is a vulnerability that has been perpetrated due to lawed application
development. As one can assume, it is prudent to ensure that actions requiring special privileges
have authentication and authorization checks done at several levels and that URL paths contain-
ing pages with special privileges are protected against random access by any individual. We will
be exploring development vulnerabilities and protection strategies for the same in Part 3 of this
topic.
5.4.1.3 Coniguration Vulnerabilities
Coniguration vulnerability
is deined as vulnerability resulting from an error in the conigu-
ration and administration of a system or component. hey are the vulnerabilities that stem
from lawed coniguration during the deployment of the application or during its maintenance.
Coniguration vulnerabilities are usually the easiest to ix, but they also usually are the most
common. Let us explore this concept with the help of an illustration. A Java Web application
is being deployed on an Apache Tomcat server. he Web application requires a Web server and
the database for its operation. he personnel deploying the application on the Apache Tomcat
server fails to change the vendor-supplied default credentials on the server, where the default
username is
tomcat
and the default password is
tomcat
as well. his is a major security vulner-
ability, because not only will users be able to access the application, but curious users will also
ind the server interface and they would easily be able to gain access for control over the server
and other application, as the administrator overlooked the vendor-supplied default credentials.
Patching errors or delays are also common coniguration vulnerabilities. Exploit code is always
being written for Web server, application server, and database platforms. Failure to patch older,
more vulnerable versions to the latest versions leaves these vulnerabilities wide open for attackers
to exploit. It is important to note here that although we will discuss a few coniguration vulner-
abilities, the core focus of this topic will be toward the identiication and mitigation of design
and development vulnerabilities.
5.4.2 Common Web Application Vulnerabilities
he requirement of Web application security started receiving a lot of attention after high-proile
attacks on several popular Web applications all over the world. As the rule of risk goes,
threats
identify and exploit vulnerabilities in the system to cause a breach of conidentiality, integrity, and/or
availability.
here are certain common Web application vulnerabilities and exploits that plague
Search WWH ::
Custom Search