Skip to main content
  • Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Home
  • Call Us
  • Call | 888.281.9449
  • Login
  • Search

This form logs you into your management portal account. To access your help desk account, click here and use the form to the right of the news.

  • Cloud Hosting
    • Cloud Hosting
    • Private Cloud
    • Hybrid Cloud
    • Public Cloud
    • Cloud Storage
      • Secure File Share
      • Wasabi Cloud Storage
    • Virtual Data Center Platform
  • Managed Hosting
    • Bare Metal Dedicated Servers
      • Deep Learning GPU Dedicated Servers
      • Linux Dedicated Servers
      • Windows Dedicated Servers
    • Virtual Private Servers
    • Data Center Colocation
      • Managed Colocation
      • Chicago: 350 E Cermak
      • Chicago: 725 S Wells
      • Edison, New Jersey
    • Security & Compliance
      • Managed Firewall
      • SSL VPN
      • DDoS Protection
      • Email Security
  • Backup & Disaster Recovery
    • Backup
    • Disaster Recovery
    • Veeam Backup & Replication
    • Veeam Cloud Connect
    • Wasabi Cloud Storage
  • Why Steadfast
    • Why Steadfast?
    • About Steadfast
      • Our History
      • News and Press
    • Data Centers & Network
      • Our Data Centers
      • Our Network
      • Network Test
      • Peering Policy
    • Customer Stories
    • Service Level Agreement
  • Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Close
Return to All Blog Posts
s Your Web App's Backend Vulnerable Because Of Misconfiguration

Is Your Web App's Backend Vulnerable Because Of Misconfiguration?

June 21, 2017 in
Security

Modern web applications can be enormously complex on the backend, comprising many different services including caching, databases, queue management, load balancers, proxy servers, and analytics tools. A recent set of hacks by British white hat security researcher James Kettle shows how prevalent misconfiguration of these components is and how easy it is to take advantage of poorly configured services to compromise web applications.

As server hosting users and system administrators, we often focus on security vulnerabilities caused by flaws in code, but poor configuration and insecure network design are just as serious a risk.

Kettle examined web applications and sites running on enterprise and government domains. Using home-grown hacking tools he was able to compromise many of the services and in some cases move deeper into the organization’s networks.

“People are basically just plopping down really complex servers to do caching, analytics, and loads of fancy complex functionality in front of their Web server without much thought as to whether these features might carry risks”

Eventually, Kettle managed to compromise 70 servers, earning a handsome bug bounty in the process. Vulnerable web backend services are great for bug bounty hunters, but they’re not so great for users or businesses.

It’s not difficult to understand how so many backend services end up vulnerable. It’s deceptively easy to deploy Redis, MongoDB, and any number of other services without really understanding what you’re doing. The service will work perfectly well, but a minor configuration error is all it takes for a smart and motivated hacker to find their way in.

MongoDB is a case in point. A popular NoSQL database, MongoDB is trivially easy to set up using the default configuration. Unfortunately, the default configuration is intended to make testing easy, and not for production use.

There are now thousands of MongoDB servers storing sensitive data that accept connections from anyone who can find them. We could debate how sensible it is to have insecure defaults, but the creators of MongoDB and expert users argue persuasively that anyone who knows what they are doing understands the situation, and anyone who doesn’t know what they are doing shouldn’t be building web applications.

What lessons should server hosting clients take from Kettle’s efforts? Most importantly, make sure you understand the services that support your web applications. If you don’t fully understand them, hire someone who does or take advantage of a managed security service. When architecting web applications, ensure that databases are configured so that they can only be accessed by the application, and not by anyone who has the IP addresses.

The best architectures are segmented, with multiple distinct networks that prevent access both from the open internet and from other parts of the application, restricting the advantage a hacker can take if they do manage to penetrate one part of the network. Intelligent, segmented network design is within the reach of any web application developer that uses an advanced cloud server platform.

Share This
facebook twitter email compact

Comments (0)

Leave a Comment

Get an image next to your comment by visiting Gravatar.com and uploading a profile photo that links to your address.

Search the Blog

Categories

backup
(1)
bare metal
(1)
Business Talk
(23)
Chicago
(11)
Chicago colocation
(1)
Cloud
(34)
cloud backup
(1)
cloud services
(2)
colocation
(4)
colocation services
(1)

Archives

  • August 2022 (1)
  • March 2022 (3)
  • October 2021 (1)
  • January 2021 (1)
  • July 2020 (1)
  • June 2020 (1)
  • April 2020 (1)
  • March 2020 (1)
  • August 2019 (1)
  • July 2019 (1)

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed
  • 312.602.2689
  • ColoHouse Sales
  • Facebook
  • Twitter
  • YouTube
  • LinkedIn

Services

  • Cloud Hosting
  • Managed Hosting
  • Backup & Disaster Recovery

Solutions By Industry

  • Enterprise Solutions
  • Trading & Financial
  • Healthcare
  • Developers & Startups
© 2023 Steadfast
  • Log In
  • Site Map
  • Legal Info & Privacy Policy