Most Common Web Application Security Vulnerabilities #5: Security Misconfiguration

The security misconfiguration applies to any security issue that is not a consequence of a programming error but a result of a configuration error. Security misconfigurations have been characterized as a separate category in the OWASP Top ten list. As the definition states, this flaw can happen at any level of an application stack, including the network services, web server, platform, application server, frameworks, database, custom code, containers and pre-installed virtual machines or storage.

1. Running the application with debug enabled in production.

2. Running outdated software (think WordPress plugins, old PhpMyAdmin).

3. Having directory listing enabled on the server, which leaks information.

4. Having unnecessary services running on the machine.

5. Unused Web pages.

6. Not changing default keys and passwords.

7. Poorly configures network devices.

8. Revealing error handling information to the attackers, such as stack traces.

These security misconfigurations can happen for a myriad of reasons. It is important to not only stay abreast of newly released patches, but to also implement them in a mirrored test environment first to ensure they do not cause other issues within a system. Furthermore, poorly trained administrators and poorly written cybersecurity policies breed an environment where default accounts are used. Most hackers are skilled enough to figure out, the default account credentials for networking devices, operating systems, and many applications. Using these default accounts makes it easy for cybercriminals to access your system and escalate their privileges. This is an easy fix, but it is a vulnerability that happens quite often.

Such vulnerabilities offer cybercriminals a simpler approach to acquire unauthorized access to system data or its functionalities. There is a possibility that security misconfiguration can also lead to complete system compromise. In the event that the undermined or application is sensitive, then such sort of flaw can damage the reputation as well as the economy of the organization.

The principle of least privilege: Everything off by default.

1. Disable administration interfaces.

2. Disable use of default accounts/passwords.

3. Disable debugging.

4. Configure server to prevent unauthorized access, directory listing, etc.

The most efficient method to rescue is, by regularly running scans, which expose security issues. Such scans should include production systems and staging systems — production configuration is often based on the staging configuration. The best way to test security misconfiguration is by using a professional scanner that discovers not just network security misconfigurations (as most scanners do) but focuses on web application security.

Security misconfigurations are still on the OWASP Top Ten list, ranked as number six. Hackers continue to grow smarter year after year and so that every effort should be made to secure networks, not just for the sake of the company, but for the sake of the public as well.

Security Misconfiguration issues can result from both human error and a general lack of knowledge. By being aware of the most common mistakes and the easiest prevention measures, you will have a great foundation for keeping your systems safe from most misconfiguration-focused attacks. It is important to remember that these best practices must be a part of an organizational focus on security, with proper processes in place that keep the staff trained and the systems up to date.

Application Security Engineer at 99x | OWASP Community Volunteer | Interested in Challenges which pushes to think outside the box.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store