Is Your Web App's Backend Vulnerable Because Of Misconfiguration?

Modern web applications can be enormously complex on the backend, comprising many different services including caching, databases, queue management, load balancers, proxy servers, and analytics tools. A recent set of hacks by British white hat security researcher James Kettle shows how prevalent misconfiguration of these components is and how easy it is to take advantage of poorly configured services to compromise web applications.

As server hosting users and system administrators, we often focus on security vulnerabilities caused by flaws in code, but poor configuration and insecure network design are just as serious a risk.

Kettle examined web applications and sites running on enterprise and government domains. Using home-grown hacking tools he was able to compromise many of the services and in some cases move deeper into the organization’s networks.

“People are basically just plopping down really complex servers to do caching, analytics, and loads of fancy complex functionality in front of their Web server without much thought as to whether these features might carry risks”

Eventually, Kettle managed to compromise 70 servers, earning a handsome bug bounty in the process. Vulnerable web backend services are great for bug bounty hunters, but they’re not so great for users or businesses.

It’s not difficult to understand how so many backend services end up vulnerable. It’s deceptively easy to deploy Redis, MongoDB, and any number of other services without really understanding what you’re doing. The service will work perfectly well, but a minor configuration error is all it takes for a smart and motivated hacker to find their way in.

MongoDB is a case in point. A popular NoSQL database, MongoDB is trivially easy to set up using the default configuration. Unfortunately, the default configuration is intended to make testing easy, and not for production use.

There are now thousands of MongoDB servers storing sensitive data that accept connections from anyone who can find them. We could debate how sensible it is to have insecure defaults, but the creators of MongoDB and expert users argue persuasively that anyone who knows what they are doing understands the situation, and anyone who doesn’t know what they are doing shouldn’t be building web applications.

What lessons should server hosting clients take from Kettle’s efforts? Most importantly, make sure you understand the services that support your web applications. If you don’t fully understand them, hire someone who does or take advantage of a managed security service. When architecting web applications, ensure that databases are configured so that they can only be accessed by the application, and not by anyone who has the IP addresses.

The best architectures are segmented, with multiple distinct networks that prevent access both from the open internet and from other parts of the application, restricting the advantage a hacker can take if they do manage to penetrate one part of the network. Intelligent, segmented network design is within the reach of any web application developer that uses an advanced cloud server platform.