Security misconfiguration

All material regarding Security Misconfiguration will be provided to us by OWASP, We will start off just like the others looking at the threat agents and attack vectors.

“Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files, and directories, etc to gain unauthorized access or knowledge of the system.”

Now that we understand what the attacker’s perspective of this is let’s look at the security weakness and impact of this vulnerability.

“Security Weakness: Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.”

“Impacts: Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise. The business impact depends on the protection needs of the application and data.”

Now that we have a base understanding of this, we can see what OWASP has to say regarding how to determine if the application is vulnerable.

  • Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services.
  • Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges).
  • Default accounts and their passwords still enabled and unchanged.
  • Error handling reveals stack traces or other overly informative error messages to users.
  • For upgraded systems, the latest security features are disabled or not configured securely.
  • The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values.
  • The server does not send security headers or directives or they are not set to secure values.

The software is out of date or vulnerable (see A9:2017-Using Components with Known Vulnerabilities).