The OWASP Top 10: Security Misconfiguration

Security Misconfiguration

Last week we touched on the basics of the Open Web Application Security Project® (OWASP) and why it should be used as a source of information for keeping your web applications secure.  This week we are going to touch on one particular vulnerability from the OWASP Top 10 Web Application Security Risks - Security Misconfiguration.

Security Misconfiguration lands itself in the OWASP Top Ten year after year.  This is because simple tasks that should be completed are often overlooked.  Let’s break it down.

Some examples of misconfiguration types for web applications are:

• Default usernames and passwords still in place
• Unnecessary ports and services are not disabled
• Security settings within an application are not properly configured
• Error handling gives too much information when producing errors

The above are just a few examples of a misconfigured application, but certainly not complete.

How to Prevent

When looking at an application, these are examples of ways to prevent misconfiguration

• A repeatable hardening process. For example, Development, QA, and Production environments need to be configured the same, but with different credentials. The process should be as automated as possible with minimal effort to setup a new environment.
• Ensuring the web application runs on a base platform, separate from any other functions. For example, the web application service should not run on the same system as a file server. Any unnecessary features should be disabled.
• A task to review configurations including updates, patches, notes, and the patch management process.

Example Attack Scenarios

• If a web application allows for directory listing unintentionally, it could allow an attacker to enumerate directories and find things like compiled Java classes which can be decompiled and reverse engineered to view code. This could potentially allow an attack to find a flaw in the application and exploit it.
• If an application gives too much information while producing an error code, it could disclose too much information that can be leveraged by an attacker. For example, if an error is produced that lists the version of SQL server that is running, the information could be leveraged for further attacks

It is very important to have a proper process in place to make sure that misconfiguration does not occur.  As you can see, it only takes one small mistake that would allow for an application to be improperly configured.  Just one simple oversight could lead to an entire compromise. 

If you are concerned about your application being vulnerable or even exploited, reach out to our team of security professionals at Appalachia Technologies.  While our team is familiar with this particular OWASP vulnerability, our team can also help ensure that your team is performing due diligence to protect other aspects of your application.

Mike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.