Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
The primary recommendations are to establish all of the following:
- A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically (with different passwords used in each environment). This process should be automated to minimize the effort required to setup a new secure environment.
- A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include all code libraries as well (see new A9).
- A strong application architecture that provides effective, secure separation between components.
- Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.
A5.1 Directory Transversal
This vulnerability exists when an application accepts direct object reference to a specific filename as an input parameter and then servers that file to the user. A malicious attacker can then traverse through arbitrary directories on the server to view files which would not normally be accessible, including sensitive files such as /etc/password.
A5.1.1 Preventing Directory Transversal
Implement ESAPI.validator:ESAPI.validator().isValidFileName(“context”, filename, false)