Exploring the OWASP Top 10: Part 5

One of the top ten security risks identified by OWASP is security misconfiguration, which is explained in their 2021 report https://owasp.org/Top10/A05_2021-Security_Misconfiguration/.

An application might be vulnerable if the application is missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services, if it has unnecessary features enabled or installed, if default accounts and their passwords are enabled and unchanged, if error handling reveals stack traces or other overly informative error messages to users, or if an upgraded system does not have the latest security features enabled or if they are not properly configured. Using out of date software can also lead to this risk.

This leads to a few possible attacks. Firstly, if the application server comes with sample applications not removed from the production server. If these have known security flaws, attackers could use them to compromise the server. Suppose one of these applications is the admin console, and default accounts weren’t changed. In that case, an attacker could log in with the default credentials and immediately gain administrator privileges. This picture gives a brief demonstration of an attacker gaining access to a system by using unchanged default values:

CrowdStrike provides more examples of security misconfiguration and what dangers they could lead to: https://www.crowdstrike.com/cybersecurity-101/security-misconfiguration/#:~:text=Security%20misconfiguration%20is%20any%20error%20or%20vulnerability%20present,breach%20and%20attackers%20gaining%20unauthorized%20access%20to%20data.

If directory listing is not disabled on the server, an attacker can simply list directories. The attacker could find and download the compiled Java classes. Later, they could decompile and reverse engineer them to view the code. This allows the attacker to easily find access control flaws and other vulnerabilities in the application. Veracode has more information about possible attacks that could be caused by security misconfiguration: https://info.veracode.com/rs/790-ZKW-291/images/security-misconfiguration-prevention-guide-en.pdf.

In order to minimize this vulnerability, secure installation processes should be implemented, including a repeatable hardening process that makes it fast and easy to deploy another environment that is appropriately locked down. This process should be automated to minimize the effort required to set up a new secure environment. Using a minimal platform without any unnecessary features, components, documentation, and samples also helps to reduce the risk of security misconfiguration. Regularly reviewing and updating the configurations appropriate to all security notes, updates, and patches as part of the patch management process is also a good practice to make sure everything is properly configured and up to date. Using an automated process to verify the effectiveness of the configurations and settings in all environments would help developers to ensure that their security configuration works in any environment they need to use. This picture lists some of the top areas where people make security configuration mistakes: