Enabled default configuration - Scala

Enabled default configuration - Scala

Need

Disable default configuration to prevent unauthorized access and information leakage.

Context

  • Usage of Scala for building scalable and functional applications
  • Usage of play.api for building web applications in Scala
  • Usage of play.api.mvc for handling HTTP requests and responses in Play Framework

Description

Non compliant code

        import play.api._
import play.api.mvc._

object Application extends Controller {

  def index = Action {
    Ok(views.html.index("Your new application is ready."))
  }

}
        
        

The above code represents a default controller action in a Scala backend application using the Play framework. The index action is configured to respond to HTTP GET requests with the default "Your new application is ready." message. This is typically the default configuration for a new Play application.

This code is vulnerable because it exposes the default page of the server. Any user, including potential attackers, can access this page and gain technical information about the server. For instance, the default page might disclose information about the underlying technology stack, server configuration, or even clues about potential security weaknesses.

This information can be used by an attacker to craft more specific and effective attacks. For instance, knowing the server uses the Play framework, an attacker might look for known vulnerabilities in the specific version of Play being used, or exploit characteristics of Scala or Play that may not be properly secured.

In addition, the presence of a default page might suggest to an attacker that the server is not fully configured or properly maintained, which might encourage further attacks.

Steps

  • Disable the default page in the server configuration.
  • Remove any sensitive information from the default page.
  • Customize the default page to provide minimal information to the users.

Compliant code

        import play.api._
import play.api.mvc._

object Application extends Controller {

  def index = Action {
    Ok(views.html.custom("Welcome to our application."))
  }

}
        
        

The above code is a fixed version of the original vulnerable code. The vulnerability was that the default page of the server was enabled and it was providing technical information about the server. This could be exploited by an attacker to gain insights about the server.

In the fixed code, the default page has been replaced with a custom page. The index function now returns a custom view instead of the default view. The custom view is named custom and it is passed a string "Welcome to our application." This string is a simple welcome message and it does not reveal any technical information about the server.

This fix ensures that when a user accesses the root URL of the server, they are presented with a custom page that does not reveal any sensitive information. This effectively mitigates the vulnerability.

References