O'Reilly logo

Securing Node Applications by Chetan Karande

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 5. Security Misconfiguration

Security misconfiguration risk encompasses a broad category of configuration issues originated at any level of an application stack, including OS, network, application server, database, framework, or the application code itself.

Depending on the misconfiguration, the impact of vulnerability could range from an attacker identifying the platform and frameworks used to build the app to gaining a full control of the enterprise network and the application server.

As published in the HPE Cyber Risk Report 2016, Figure 5-1 shows the most commonly found vulnerabilities by analyzing more than 7,000 web applications. Incidentally, most of these vulnerabilities could be attributed to the security misconfiguration issues.

snap 0501
Figure 5-1. Top 10 most commonly occurring vulnerabilities from the data sample used for the HPE Cyber Risk Report 2016

This chapter covers related attack mechanics and ways to protect against them in Node applications.

Attack Mechanics

There are a variety of attack mechanics to exploit security misconfiguration, each affecting distinct attack surfaces. The subsections that follow present some examples.

Attacks from Browsers

An attacker can exploit the following security misconfigurations by using a browser or a browser-equivalent tool:

  • Any server configuration information leaked to the browser aids an attacker to build the security ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required