Entry #10 on the CWE/SANS Top 25 is CWE-311: Missing Encryption of Sensitive Data [1].
In a previous post [2] we discussed how we obtained command line access to the server. As a result, we could now conduct any number of malicious activities. But, our primary goal was to retrieve confidential customer information. Navigating around the server revealed that the LDAP and JDBC passwords were stored in a simple properties file. The credentials used to connect to these databases were stored unencrypted. We simply fired up a client and connected directly to the database with these credentials (remember that this was an internally deployed application and we could see these databases on the network). Once we connected to the database we could see all the customer information for the organization (also unencrypted). Game over.
There were a number of things that should have been done to protect this application and that you can do to protect your applications as well. A number of insecure configurations could have been addressed by doing the following:
- Implement a strong password policy. Don't use default credentials.
- Implement account lockout.
- Restrict access to or disable unnecessary administrative interfaces.
- Encrypt sensitive data including passwords and sensitive customer information.
- http://cwe.mitre.org/top25/#CWE-311
- https://blogs.sans.org/appsecstreetfighter/2010/02/24/top-25-series-rank-9-os-command-injection/
