A web developer is completing a new web application security checklist before releasing the application to production. The task of disabling unnecessary services is on the checklist. Which web application threat is being mitigated by this action?
A web developer is completing a new web application security checklist before releasing the application to production. The task of disabling unnecessary services is on the checklist. Which web application threat is being mitigated by this action?
Disabling unnecessary services in a web application primarily addresses the issue of security misconfiguration. Security misconfiguration involves improper configuration of the system, which can include running services that are not needed. These unnecessary services can present vulnerabilities that attackers may exploit. By ensuring only the essential services are active, the potential attack surface is minimized, thereby reducing the risk of exposing the application to threats arising from misconfigurations.
B is correct, key word is 'disabling'.
A & D can be eliminated as session hijacking and data breach still going to happen after hardening/ disabling unnecessary services I chose Broken Authentication, but it's not true. I read some articles. Example of broken authentication (https://avatao.com/blog-broken-access-control/) - it can still happen B seems right - if we don't disable configuration for directory listing, attacker can list the directory (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration)
Answer B) Security Misconfigurations https://www.balbix.com/insights/security-misconfiguration-impact-examples-and-prevention/
This is application hardening..... so check for that human error of misconfiguring stuff.
not completly clear for me but after googleing cissp security missconfiguration all the articles refere to functions that should be disabled if not needed (no default config on). so B
B. 8 Examples of Security Misconfigurations 1- Sample Applications Vulnerability. ... 2- Directory Listing Vulnerability. ... 3- Error Message Vulnerability. ... 4- Default Privileges Vulnerability. ... 5- Unnecessary Features Vulnerability. ... 6- Improper Data Validation Vulnerability. ... 7- Unpublished URLs Vulnerability. ... 8- Out-of-date Software Vulnerability.
The web application threat being mitigated by disabling unnecessary services is: B. Security misconfiguration. Disabling unnecessary services helps reduce the attack surface of a web application by eliminating potential entry points for attackers. It helps ensure that only essential services are running, reducing the chances of security vulnerabilities arising from misconfigured or unpatched services. By disabling unnecessary services, the web developer minimizes the risk of security misconfigurations that could be exploited by attackers.
Why not A? The question is asking which application THREAT is being mitigated.. Session hijacking is the only threat listed.. Security misconfiguration is a vulnerability Broken access control is a vulnerability Sensitive data exposure is a risk..
Not sure but if configured properly then chances of session hijacking is less/minimized.
the purpose of "disabling unnecessary services" is to avoid vertical privilege escalation.
B is correct
C. Broken Access Controls is the correct answer. Broken access controls pertain to issues related to improper authorization and access permissions, which are often a key aspect of mitigating threats by disabling unnecessary services. However, B. Security misconfiguration in itself will not be an appropriate answer for the question. I see a lot of people selecting answer B. because they are looking at Chatgpt. Please don't blindly accept chatgpt answers, many of them are wrong and this is one of them.
Terrible question - my choice would be B and not really sure any of them are relevant.