Security misconfiguration risk encompasses a broad category of configuration issues originated at any level of an application stack, including OS, network, application server, database, framework, or the application code itself.
Depending on the misconfiguration, the impact of vulnerability could range from an attacker identifying the platform and frameworks used to build the app to gaining a full control of the enterprise network and the application server.
As published in the HPE Cyber Risk Report 2016, Figure 5-1 shows the most commonly found vulnerabilities by analyzing more than 7,000 web applications. Incidentally, most of these vulnerabilities could be attributed to the security misconfiguration issues.
This chapter covers related attack mechanics and ways to protect against them in Node applications.
There are a variety of attack mechanics to exploit security misconfiguration, each affecting distinct attack surfaces. The subsections that follow present some examples.
An attacker can exploit the following security misconfigurations by using a browser or a browser-equivalent tool:
Any server configuration information leaked to the browser aids an attacker to build the security ...