If you serve an expired certificate with a valid unexpired certificate, visitors might start to expect the invalid certificate error message presented by the user agent. An attacker can take advantage of this complacency and trick user into accepting an invalid certificate of their own, and set the victim up for a man-in-the-middle attack.

Credential theft can result from:
1. A weak encoding scheme used by the HTTP Basic authentication to encode user credentials. Base64 encoded text can be easily decoded to access the original information.
2. Using HTTP Basic authentication over an insecure channel. Attackers can intercept the traffic and access user credentials.

Severe information disclosure vulnerabilities can occur when the following file categories are left unprotected on the server:
- Password files
- User data files
- Database files
- Application management files
- Installation and setup files

Example 1:Successful enumeration of any of these files indicates a severe information disclosure vulnerability password.dbf, password.lst, admin.pw, customers.dbf, user.dat, site_mgmt.html, admin.conf

Failure to specify a Content-Type header in the HTTP response can expose the application to cross-site scripting vulnerabilities by:

Content Sniffing Mismatch:
Failure to explicitly specify the type of the content served by the requested resource can enable attackers to conduct cross-site ccripting attacks by exploiting the browser's inconsistent content sniffing techniques.
The Content-Type header is used by:
- The web server to dictate how the user agent interprets the requested resource. In the absence of this header, the browser depends on content sniffing algorithms to guess the type of content and render or interpret it accordingly.
- File upload filters to discard file types not allowed by the application. In the absence of a Content-Type header, the file upload filter relies on the file extension or the content of the file to detect and store an appropriate MIME type for the uploaded file.
The lack of explicit content-type specification can enable attackers to exploit the mismatch between the browser's MIME sniffing algorithm and upload filter. By uploading files with benign extensions (like .jpg), an attacker can easily bypass the upload filter to upload files containing malicious HTML content. The browser's content sniffing algorithm however renders it as HTML based on the content of the file and executes any malicious scripts embedded within the HTML content.

Character Set Mismatch:
Character set specification is part of the Content-Type header. Absence of this specification can enable attackers to bypass input validation filters or HTML entity escape functionality and conduct cross-site scripting attacks. If the character set is not specified, browsers attempt to guess the most appropriate character set. This can result in a mismatch between the character set assumed by the application during the generation of the content and by the browser during the parsing and interpretation of the same content. An attacker can exploit this inconsistency to encode attacks using a character set that hides the malicious payloads from the validation filters and escaping mechanisms put in place by the application, but at the same time is interpreted by the browser as a valid executable entity.

The following example scenarios demonstrate the exploitation of the weakness:

Content Sniffing Mismatch:

1. Attacker uploads a file with .jpg extension and no content-type specification. The file contains embedded malicious HTML and JavaScript content.
2. In the absence of the content-type header, the application saves the uploaded file along with the MIME type of the .jpg file.
3. The attacker uses social engineering to entice a victim into accessing the uploaded file.
4. After receiving the requested file without the content-type header, the victim's browser assumes the content-type to be HTML based on the HTML and JavaScript content and renders the file, which causes the execution of the attacker's JavaScript payload.

Character Set Mismatch:
1. Attacker converts the payload of <script>alert(document.location)</script> into a UTF-7 encoded string +ADw-script+AD4-alert(document.location)+ADw-/script+AD4 and sends it to the vulnerable application.
2. An application that uses the ISO-8859-1 character set for filtering or escaping special characters fails to detect the '<' and '>' characters as dangerous.
3. The absence of character set specification due to the missing content-type header forces the browser to guess the character set to use to render the application response that contains the attacker's payload. If the browser correctly guesses the encoding is UTF-7, the injected payload is successfully executed.

Programmers can use HTTP response headers to enforce content-type policies and prevent browsers from insecurely interpreting malicious JavaScript content sent by attackers with a misleading MIME type specification. Web server misconfiguration can cause an application to send HTTP responses with a missing content-type header or specify a MIME type that does not match up with the response content. When a browser receives such a response, it attempts to programmatically determine the MIME type based on the content returned in the response. The MIME type derived by the browser, however, might not match the one intended by the application developer. Such inconsistencies have historically enabled attackers to conduct cross-site scripting or data theft using Cascading Style Sheets (CSS). Attackers can bypass server-side filters using MIME type checking and have the malicious payload with a misleading MIME type specification executed on the client-side due to inconsistent browser MIME sniffing policies.
In addition to safe MIME handling policies for CSS parsing, developers can also dictate the browser's MIME sniffing behavior. By configuring the web server to include the X-Content-Type-Options: nosniff header in all HTTP responses, developers can avoid incorrect interpretation of the responses even in the absence of accurate Content-Type specification.
Adherence to this secure configuration practice is highly recommended. Developers and administrators must, however, take into account that the protection is restricted to IE versions 9 and later. It does not protect users that rely on older versions of IE. To protect these users, it is important that additional safeguards are implemented to complement this protection mechanism.

File disclosure vulnerabilities can occur when:
1. An attacker can gain unauthorized access to source code by forcefully requesting files with extensions that are not mapped to the appropriate interpreter. This configuration error causes the server to directly serve the contents of the file instead of interpreting and serving the result of the interpretation.
2. An attacker can gain unrestricted access to sensitive system files if server misconfiguration leads to incorrect mappings between HTTP request URI patterns and system paths.

Example 1:
Using the mod_userdir module, Apache can map requests for user directories to their home directories. For example, requests for http://example.com/~username/ can be mapped to the contents in the home directory of the user "username".
However, if the administrator misconfigures the mapping of all requests to the "./", then attackers can gain access to sensitive system resources.

Programmers can use input filters to protect applications from client-side threats such as Cross-Site Scripting. However, if the application fails to ensure strict enforcement of an appropriate character set for all the web pages, an attacker can generate payloads using a character set that differs from the one that the input filters use. Similarly, a vulnerability that enables user supplied input to modify the character set of a web page can result in a similar outcome. By changing the character set, an attacker can send malicious payloads, which are ignored by the application's input filter as the characters are deemed safe.
For instance, a UTF-7 encoded cross-site scripting payload +ADw-script+AD4-alert(document.location)+ADw-/script+AD4 bypasses UTF-8 based input filters.

Some proxy servers accept the CONNECT or GET method to make an HTTP connection to another server. Usually, this method is restricted to internal use only. If it is not restricted, attackers can use the server can to disguise the origin of their attacks. Attackers might also be able to access internal machines through the proxy server and map the internal network. This type of vulnerability is usually caused by not properly configuring the proxy server.

One of the basic steps in securing applications and infrastructure is to restrict the amount of knowledge an attacker can gather during the reconnaissance phase. The HTTP OPTIONS method is one way for attackers to discover the configuration of the target web server. A web site administrator can hinder the attacker attempts of mapping the application attack surface by disabling the OPTIONS method. This prevents the attacker from easily obtaining a list of the HTTP methods supported by the web server configuration.

Denial of service conditions can occur when:
1. A server incorrectly sets a limit on the number of threads per processor utilized for application execution
2. The server sets a limit on the number of requests processed at a time

Incorrectly formatted headers can result in an inconsistent security policy and user experience. This can enable attackers to perform client-side attacks even on applications that implement declarative security directives. For example, a missing space between ":" a header name and the header value might result in some browsers ignoring the header.

Server error messages can occur because of a misbehaving application, a misconfiguration, or a malicious value injected into the application. Error responses give attackers insight into how the application handles error conditions. The attacker can use this knowledge to remotely trigger errors that could potentially lead to denial of service conditions.
The attacker can use the details offered in the error message to gain further knowledge about the application logic and discover absolute paths to the filesystem. This information can help refine the attack payloads that target vulnerabilities such as file inclusion, command execution, SQL injection, and others.

WSDL's contain information about the web services that the server offers. An unintended exposure of this information can cause unauthorized access to server methods. An attacker can bypass the client application and directly call web methods.

A servlet error message is the result of an unhandled exception in the application. It indicates that the application failed to handle unexpected user input.
Most serious attacks on a software system begin with the violation of a programmer's assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before an attack many programmers would defend their assumptions well past the end of their lunch break.

Two dubious assumptions that are easy to spot in code are "this operation can never fail" and "it doesn't matter if this operation fails". When a programmer fails to catch an exception that an operation might throw, they are operating under one of these assumptions.
An attacker can leverage the conditions that cause such errors to orchestrate attacks that will lead to unauthorized access to the system.

An unhandled SOAP exception can reveal information about the application that enables an attacker to orchestrate further attacks on the application. The error message can reveal fully qualified server paths, disclose the structure of server-side documents, or indicate avenues to gain unauthorized access to the system.
Just about every serious attack on a software system begins with the violation of a programmer's assumptions.
Two dubious assumptions that are easy to spot in code are "this operation can never fail" and "it doesn't matter if this operation fails". When a programmer fails to catch an exception that an operation may throw, they implicitly state that they are operating under one of these assumptions.

If the administrator fails to install a valid certificate, site visitors might come to expect the invalid certificate error message presented by the user agent alerting them about the hostname mismatch. An attacker can take advantage of this complacency and trick user into accepting an invalid certificate of their own. This sets the victim up for a man-in-the-middle attack.

There are numerous risks associated with presence of directories with easy-to-guess names and locations. Through enumeration, attackers can fingerprint platforms and applications that are known to use specific directory names. These directories can also lead to exposure of sensitive information and privileged functionality. Predictable directory names and locations can expose admin interfaces, log files, configuration files, source code files and allow an attacker to add, remove, or modify files. Reconnaissance is a fundamental requirement for a successful attack. Predictable directory names and locations can make it very easy to map their target and obtain information essential for compromising the target.

There are numerous risks associated with presence of files with easy-to-guess names and locations. Through enumeration, attackers can fingerprint platforms and applications that are known to use specific file names. These files can also lead to exposure of sensitive information and privileged functionality. Predictable file names could expose admin interfaces, sensitive system information, configuration details, business logic and allow an attacker to add, remove or modify application functionality. Reconnaissance is a fundamental step of a successful attack strategy. Predictable file names can make it very easy to map their target and obtain information essential for compromising it.

Programmers can leverage several different approaches to implementing authentication systems. Web form and network authentication are two commonly used forms of authentication. The effectiveness of network authentication is partly determined by the server configuration. HTTP headers are commonly used for network authentication. Incorrect configuration of these headers or application of the headers to resources that do not need to protected can either allow an attacker to bypass header-based authentication or disrupt availability of system resources.

Failure to disable unnecessary services such as WebDAV of Microsoft IIS or processing insufficiently validated HTTP requests could open up access to restricted information or allow an attacker to gain administrative privileges.

A Security timestamp indicates the freshness of a message's security data. If an attacker intercepts a message retransmits it at a later time, the receiver can reject the replay attack because the timestamp will indicate that the message is stale.

To prevent attackers from tampering with timestamps, timestamps should be signed. Without a signed timestamp, an attacker could intercept a SOAP message, modify the timestamp, and send the message on without the receiver's knowledge. Under these circumstances, an attacker may trick a recipient into accepting a malicious message.

Example 1: The following policy entry has the <MessageAge> tag commented out.

<wsp:Policy
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  >
...
<!--   <wssp:MessageAge/> -->

</wsp:Policy>

Sending plain text passwords over an unencrypted channel can expose the credential to attackers who can sniff the SOAP message.

Example 1: The following policy entry uses the UsernameToken.

<wssp:SupportedTokens>
    <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken" />
</wssp:SupportedTokens>