Enabled default configuration
Need
Disabling default configurations to prevent unauthorized access and information disclosure
Context
- Usage of Java for building robust and scalable applications
- Usage of javax.servlet for building Java web applications with servlets
- Usage of java.io for input and output operations in Java
Description
Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class DefaultServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("<h1>Welcome to the default page!</h1>");
out.println("<p>This page displays information about the server.</p>");
}
}
In the above code, we have a DefaultServlet that extends HttpServlet. This servlet is mapped to a default URL pattern in the web application. When a user or an attacker accesses the default URL, the doGet method is invoked. This method writes a response back to the client with information about the server.
The vulnerability here is that the default page is enabled and is accessible to everyone. This page displays technical information about the server which can be used by an attacker to understand the server's configuration and potentially exploit it.
An attacker could use this information to launch targeted attacks against the server. For example, if the server is running a version of software that is known to have specific vulnerabilities, the attacker could exploit those vulnerabilities to compromise the server.
In addition, the default page could also leak sensitive information such as internal IP addresses, file paths, or other details that should not be publicly accessible.
In summary, the default configuration of this server is vulnerable because it exposes a page that provides potentially sensitive information about the server's configuration. This information could be used by an attacker to launch targeted attacks against the server.
Steps
- Disable or remove the default servlet
- Implement a custom error page
- Configure the server to restrict access to sensitive information
Compliant code
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
public class CustomServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
PrintWriter out = response.getWriter();
out.println("<h1>Welcome to the custom page!</h1>");
out.println("<p>This page does not display any sensitive server information.</p>");
}
}
The above code is a fixed version of the original vulnerable code. The default servlet has been replaced with a custom servlet that does not display any sensitive server information.
The doGet method is overridden to provide a custom response to the client. The response consists of a welcome message and a statement that no sensitive server information is displayed. This ensures that an attacker cannot gain any technical information about the server from this page.
In addition to this code change, you should also configure your server to restrict access to sensitive information. This can be done in the server's configuration settings.
Furthermore, consider implementing a custom error page to handle any errors that occur. This can prevent the server's default error page, which may contain sensitive information, from being displayed to the user.
By making these changes, you can significantly reduce the risk of an attacker gaining access to sensitive server information.