Most Common Web Application Security Vulnerabilities #5: Security Misconfiguration
The security misconfiguration applies to any security issue that is not a consequence of a programming error but a result of a configuration error. Security misconfigurations have been characterized as a separate category in the OWASP Top ten list. As the definition states, this flaw can happen at any level of an application stack, including the network services, web server, platform, application server, frameworks, database, custom code, containers and pre-installed virtual machines or storage.
Real-World Consequences of Security Misconfiguration
- MongoDB Databases — Earlier in the 2020, a hacker targeted nearly 47% of all MongoDB databases on the internet because of not setting up a password. https://www.zdnet.com/article/hacker-ransoms-23k-mongodb-databases-and-threatens-to-contact-gdpr-authorities/
- AWS Misconfiguration — One of the biggest causes of identity theft in the United States was the exposure of AWS buckets https://securityboulevard.com/2019/12/unsecured-aws-bucket-exposes-personal-data-of-750000-u-s-residents/
- The Cost of Human Error — Human error is a primary cause of security misconfiguration, such as in the case of a Spring contractor misconfiguring a cloud storage bucket and exposing hundreds of thousands of mobile phone bills. https://threatpost.com/att-verizon-subscribers-exposed-mobile-bills/150867/
The Root Cause for Security Misconfiguration
1. Running the application with debug enabled in production.
2. Running outdated software (think WordPress plugins, old PhpMyAdmin).
3. Having directory listing enabled on the server, which leaks information.
4. Having unnecessary services running on the machine.
5. Unused Web pages.
6. Not changing default keys and passwords.
7. Poorly configures network devices.
8. Revealing error handling information to the attackers, such as stack traces.
These security misconfigurations can happen for a myriad of reasons. It is important to not only stay abreast of newly released patches, but to also implement them in a mirrored test environment first to ensure they do not cause other issues within a system. Furthermore, poorly trained administrators and poorly written cybersecurity policies breed an environment where default accounts are used. Most hackers are skilled enough to figure out, the default account credentials for networking devices, operating systems, and many applications. Using these default accounts makes it easy for cybercriminals to access your system and escalate their privileges. This is an easy fix, but it is a vulnerability that happens quite often.
Security Misconfiguration, After-Effects
Such vulnerabilities offer cybercriminals a simpler approach to acquire unauthorized access to system data or its functionalities. There is a possibility that security misconfiguration can also lead to complete system compromise. In the event that the undermined or application is sensitive, then such sort of flaw can damage the reputation as well as the economy of the organization.
Protecting against Security Misconfiguration
The principle of least privilege: Everything off by default.
1. Disable administration interfaces.
2. Disable use of default accounts/passwords.
3. Disable debugging.
4. Configure server to prevent unauthorized access, directory listing, etc.
The most efficient method to rescue is, by regularly running scans, which expose security issues. Such scans should include production systems and staging systems — production configuration is often based on the staging configuration. The best way to test security misconfiguration is by using a professional scanner that discovers not just network security misconfigurations (as most scanners do) but focuses on web application security.
Security misconfigurations are still on the OWASP Top Ten list, ranked as number six. Hackers continue to grow smarter year after year and so that every effort should be made to secure networks, not just for the sake of the company, but for the sake of the public as well.
Security Misconfiguration issues can result from both human error and a general lack of knowledge. By being aware of the most common mistakes and the easiest prevention measures, you will have a great foundation for keeping your systems safe from most misconfiguration-focused attacks. It is important to remember that these best practices must be a part of an organizational focus on security, with proper processes in place that keep the staff trained and the systems up to date.