Setting up Security Best Practices

Impact:

Such information can lead an attacker to gain advantage in the fingerprinting of the web application and can be prone to do sql injection attacks on web applications as we are able to change sql query present in api's JSON formed request body.
Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.
Error-Based SQL Injection is typically easy to exploit as it returns verbose error information when a SQL query fails such as when the syntax is incorrect. An attacker can learn the exact query being executed by the SQL server and use this information to craft malicious requests.

Verification:

Recommendation :

Passwords must be at least 8 characters in length.
Password must contains below categories:
- At least 1 uppercase character (A through Z).
- At least 1 lowercase character (A through Z).
- At least 1 base 10 digits (0 through 9).
- At least 1 non-alphabetic characters (for example: @, $, #, % etc).
Passwords will expire every 60 day(s).
You can't use the last 1 password(s).

Impact:

Session ID Exposure through URL - The GET request URL can be saved in the browser's history, passed through refers to other web sites, stored in web logs, or otherwise recorded in other sources. If a GET request contains sensitive information such as username, passwords, session identifiers, then attackers can use this information to launch further attacks.

To hide Apache version add the following line to the Host section of your Apache Tomcat server.xml file

   <Valve className="org.apache.catalina.valves.ErrorReportValve"
    showReport="false" 
    showServerInfo="false"/>

Impact:

The version of servers can lead to information disclosure to an intruder and can gain advantage in fingerprinting of the application.

Last updated 3 years ago