About
Description
Security misconfiguration, one of the most commonly seen issues, can simply be defined as failing to implement all the security controls for a server or web application, or either implementing the security controls, but with flaws. Any poorly documented configuration modifications, default settings, or a technical issue across any component in endpoints could lead to a misconfiguration. Usually, misconfiguration is not performed directly by developers but is somewhat a result of a misunderstanding between developers and SysAdmins.
Misconfigurations can occur due to several reasons but are commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, it is equally important to have the software up to date.
Often, improper configurations can lead to a wide variety of security risks within servers and environments. Misconfiguration vulnerabilities make web applications sensitive to attacks that target any part of the stack. Attackers will frequently try to exploit unpatched flaws or access default accounts, unused pages, unprotected files, directories, etc. to get unauthorized access or knowledge of the system.
For instance, the latter attack types may target misconfiguration vulnerabilities:
Brute force/credential stuffing
Code injection
Buffer overflow
Command injection
Cross-site scripting (XSS)
Forceful browsing
Overview
The configuration of web application servers is an important aspect, but modern network infrastructures are highly complex, and organizations often overlook crucial security settings. Security misconfiguration may exist in software components or subsystems. Any element that requires a configuration can be subject to this vulnerability (network devices, hardware, email services, etc.). It can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.
Detection
Automated scanners are useful for identifying misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc. Scan the network for vulnerabilities and audit regularly to help detect future misconfigurations or missing patches.
The application might be vulnerable if it is:
Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services.
Redundant features are enabled or installed (e. g. unnecessary ports, services, pages, accounts, or privileges).
Default accounts and their passwords are still enabled and unchanged.
Error handling reveals stack traces or other overly informative error messages to users.
The latest security features are disabled or not configured securely.
The security settings in the application servers, application frameworks (e. g. Struts, Spring, ASP.NET), libraries, databases, etc. are not set to secure values.
The server does not send security headers or directives, or they are not set to secure values.
The software is out of date or vulnerable (see A9:2017-Using Components with Known Vulnerabilities).
Potential impact
Without a concerted, repeatable security configuration process, application systems are at a higher risk of being exploited. Such flaws frequently give attackers unauthorized access to some system data or functionality and consequently lead to sensitive data exposure. Therefore, it can impact confidentiality, integrity, and availability, depending on the context. Occasionally, such flaws result in a complete system compromise.
The business impact depends on the protection needs of the application and data.
How to prevent
Because security misconfiguration is a result of a human error, it is difficult to prevent it, but not impossible. The first step is to raise awareness and educate employees in this regard. Also, study application behaviour to mitigate the risk of misconfiguration.
Some other recommendations to prevent security misconfigurations are:
Change default credentials.
Disable default settings and use of default accounts/passwords. Ensure account lockout policies.
Disable administration interfaces and limit access to administration panels and consoles.
Configure the server to prevent unauthorized access, directory listing, etc.
Disable debugging.
Encrypt data.
Adopt robust application architecture that promotes efficient and secure separation between components.
Automate as much as possible.
Read more about prevention here.
Case
Recent Microsoft Service breach caused data leakage that exposed millions of customer support case information due to misconfigured security settings in an Azure database. Data could be accessed from a web browser link without any authentication! However, most of the personally identifiable information was "redacted" or obscured by "automated tools." Microsoft is taking this seriously and applying internal measures to prevent this in the future.
Learn more about it here.
____________________________________________________________________________________________
References:
[1] OWASP
[2] HDIVSECURITY
[3] PortSwigger
[5] TheHackerish
[6] Tutorials Point
Last updated