Embed Size (px)
DESCRIPTION
In part 10 of Web Application Security 101 we explore the various issues that effect the server tier such as default files, default configuration, misconfigured insecure servers and more.
Citation preview
Server TierSecurity of the server, the frameworks and web content.
Types Of ConcernsServer Patching
Default Features
Extra Applications
Old Code And Backups
Server PatchingFront-end and back-end servers must be fully patched.
Default FeaturesSome web servers may come with default functionalities, which may
need to be removed or restricted to authorized personal only.
Tomcat - /manager, etc.
JBoss - /jmx-console, etc.
Apache - /server-status, etc.
Extra ApplicationsDefault server installations may come with built-in applications.
PhpMyAdmin, Django Admin, etc.
Old Code And BackupsThere could be old code and backups inside the application root folder.
File prefixes: ~, ., etc.
File suffixes: ~, .bck, .bac, .back, .tar.gz, tar.bz2, etc.
LabLet's see if we can find some of these problems.
