A05:2021-Security Misconfiguration

What is OWASP?

OWASP (Open Web Application Security Project) is an organization supported by an open-source community that develops and publishes best practices, tools, and resources related to web application security.

Security Misconfiguration

Ranking 5th in OWASP's 2021 list, this vulnerability arises from security controls being unable to be implemented due to incorrect configurations, despite being desired in servers or web applications.

Common Security Misconfigurations

Errors in security configurations can lead to many different scenarios that could leave web applications vulnerable. I've listed the most commonly encountered security misconfigurations for you below.

Default Passwords

Many systems and applications come with default passwords that users can easily guess. Failure to change these passwords can lead to unauthorized access to sensitive data or system functions.

Unused Services

Unused services and applications, especially if left inactive or unpatched, can create security vulnerabilities in the system. Attackers can exploit these vulnerabilities to gain access to sensitive data or perform unauthorized actions.

Improper File Permissions

Incorrect file permissions can allow unauthorized access to sensitive files and data. This situation occurs when files are not properly protected or when permissions are broad enough to allow everyone access to the data.

Solutions

Secure Configuration Standards

Use established security configuration standards such as the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST) to ensure systems are properly configured.

Continuous Monitoring

Implement continuous monitoring and automated vulnerability scanning to detect potential security misconfigurations. Ensure system logs are properly configured to capture security events.

Regular Updates and Patching

Ensure all systems and applications are regularly updated to provide protection against known security vulnerabilities. This should include both operating system updates and software updates. Software updates should include not only the product itself but also the libraries and components it depends on.

Principle of Least Privilege

Follow the principle of least privilege, which restricts user access to only the resources and data necessary to perform their functions. This can prevent unauthorized access to sensitive data and functions.

Security Testing

Conduct regular security testing, including penetration testing and vulnerability assessments, to identify potential security misconfigurations and vulnerabilities in systems and applications. This can help identify and fix vulnerabilities before they are exploited.

These recommendations can elevate your security to the next level.

Example Attack Scenarios

Scenario 1: Default Accounts

The application server comes with sample applications that haven't been removed from the production server. These sample applications contain known security flaws that attackers use to breach server security. Let's assume one of these applications includes an admin console and that default accounts haven't been changed. In this case, an attacker can log into the system using default passwords and take control.

Scenario 2: Directory Listing

Directory listing capability allows attackers to navigate the server and find potential vulnerabilities. Directory listing capability hasn't been disabled on the server. The attacker discovers they can easily list directories. The attacker finds compiled Java classes, downloads and converts them to source code for examination. This situation allows the attacker to discover a serious access control flaw in the application.

References

1. OWASP Top 10
2. A05 2021 Security Misconfiguration
3. A05 Security Misconfiguration
4. OWASP Top 10 Explained with Examples
5. Supply Chain Security: Security Misconfigurations
6. Security Misconfiguration Nedir?
7. Security Misconfiguration Yanlış Güvenlik Yapılandırması

---

LinkedIn: Emre Gümüş