Whether you’re a startup or Fortune 500 company, security misconfigurations will always be a topic of discussion in the security world. Security misconfigurations, the number 5 on the OWASP Top 10 in 2021, are the classic holes in security that most come to mind. Missing patches, out-of-date operating systems and more fall under this umbrella.
How do these vulnerabilities affect your organization and what can be done about them? Are there ways to detect, manage, and patch these vulnerabilities? Most importantly, how concerned should you be with misconfigurations?
What are security misconfigurations and why should we be concerned about them?
Security misconfigurations are anything that may unnecessarily increase the attack surface of an application or host. The commonality in these vulnerabilities is that none of them are necessary for the application to run and all enlarge the attack surface unnecessarily — usually from a human misconfiguring something. This could be because unnecessary ports are left open, software is left out of date, or error handling is too verbose.
The OWASP Top 10 lists the following in their list of what constitutes a security misconfiguration:
- Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
- Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges).
- Default accounts and their passwords are still enabled and unchanged.
- Error handling reveals stack traces or other overly informative error messages to users.
- For upgraded systems, the latest security features are disabled or not configured securely.
- The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values.
- The server does not send security headers or directives, or they are not set to secure values.
- The software is out of date or vulnerable (see A06:2021-Vulnerable and Outdated Components).
How to find and manage security misconfiguration vulnerabilities
All of these vulnerabilities should be easily preventable, so how do we find and manage them? One of the easiest ways to find these vulnerabilities is to scan the application regularly.
The scan will reveal most common security misconfigurations such as missing headers, out-of-date software, operating systems, and more. It’s also a good idea to get a web application penetration test in order to identify deeper issues and confirm any findings the scan may have found. These types of tests will reveal any default credentials, any unnecessary pages or services being hosted, and more.
Once the scan and test have been completed, these will alert you to the vast majority of your application’s security holes. This gives you the ability to not only identify vulnerabilities, but also categorize them in order of severity. It will also give you a framework to where remediation efforts should be focused most.
How would an attacker be able to use these types of vulnerabilities to attack your application?
Security misconfigurations have a wide range of severity. A mildly outdated webserver may be vulnerable to a small information disclosure vulnerability, but a very outdated webserver could enable remote code execution. There is definitely a severity spectrum at play with these types of vulnerabilities.
An attacker could exploit any of these types of vulnerabilities to learn more about the application via verbose errors, potentially gain access via default credentials, or get SQL injection or a web shell via outdated software that enables remote code execution. That being said, all of these vulnerabilities are preventable.
In order to prevent these, we must take our vulnerability scan and testing results and remediate the findings. Luckily, this class of vulnerabilities are also some of the most straight forward to fix sometimes consisting of just a patch alone.
How to fix security misconfigurations
As a part of your web application penetration test report, you may get some broad remediation instructions and any security misconfigurations identified will likely need to be changed.
For example, if a finding was that you have a verbose error page that is disclosing full file paths and internal IP addresses, you can simply change the error message being displayed by the application by redirecting to a custom 404 page or similar and only log the verbose error for internal use.
Conclusion
Security misconfigurations are very prevalent and easy to slip through the cracks. However, not all is lost. These vulnerabilities also are some of the easiest to identify and remediate. This can be done primarily via a web application penetration test or a vulnerability scan which will reveal most vulnerabilities of this class. Remediating any specific findings and staying on top of patching will make your application free of common security misconfigurations!
Sam Schraff
Sam Schraff is an experienced security professional with a passion for penetration testing and demonstrated experience on a red team. Skilled in penetration testing, vulnerability analysis, remote social engineering, war dialing, reporting and client relations. Credentials and certifications include Comp TIA Security +, EC - Council C|EH as well as a Bachelor of Business Administration in Cyber Security from The University of Texas at San Antonio.