June 2018
Intermediate to advanced
294 pages
7h 5m
English
Content preview from Practical Web Penetration Testing
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
6 – Security Misconfiguration
This flaw is due to a nonsecure configuration on any of the servers (web, web service, or database). This includes the infrastructure and not only the application level configurations. As an application security expert, you need to check both the infrastructure level security and the application level as well. Let's see a few tips that can give us some ideas about this issue:
- Are any of the production servers (web, web service, or database) missing any patches?
- Do any of the production servers (web, web service, or database) have some default non-secure settings? (For example, default credentials.)
- Are any unnecessary services enabled on any of the servers?
- Is the application using default error messages that ...