What is Security Misconfiguration?
Untitled
I believe this name was chosen to be as ambiguous as possible for one of the Top 10 OWASP vulnerabilities. It can encompass anything and everything related to configurations but if we do some effort it is possible to define a general testing guide for security misconfigurations by looking at the common properties of all the issues we can find in write ups and activities.
How to identify Security Misconfiguration
The following properties of a system will indicate a likely vulnerability though some of these properties are a bit more ambiguous and harder to test.
- not having sufficient security hardening across any part of the application stack, including the API security. Most applications these days consist of complete technical solutions and issues might arise in any of these components. To test for this properly we need to have a good overview of our system under test though.
- When our target uses cloud services, they need to make sure to configure the authentication and authorisation on those properly as well.
- If features are enabled that are not being used this can lead to some dangerous security impact in certain cases. An example we can think of is leaving a port open that is not needed while having vulnerable software running on there.
- Some admins are very lazy and they might leave passwords default or super easy to guess like test/test. This is also a security misconfiguration of course.
- Our target needs to keep it's systems and dependencies up to date. Besides keeping them up-to-date we need to make sure these components are enabled and configured properly.
- If any of the settings surrounding security is set to an insecure value.
- The server does not respond with security headers or directives. Of course when set they should contain appropriate security values.
To prevent these kinds of vulnerabilities, we can implement some mitigations.
All of these best practices serve to cover a particular goal but we also need to know what these goals are so we can test with precision.
- Cloud storage misconfigurations
- Test network infrastructure configuration
- Test Application Platform Configuration
- Testing alternative HTTP methods
- Test HTTP Strict Transport Security
Test network infrastructure configuration