No matter how big or small your company is, security misconfigurations will always be a topic of discussion. Security misconfigurations, the number 5 on the OWASP (Open Web Application Security Project) Top 10 in 2021, are the classic holes in security that most companies could have pop up at any given time. Missing patches, out-of-date operating systems and more fall under this umbrella.
How do these vulnerabilities affect your organization and what can be done about them? Are there ways to detect, manage, and patch these vulnerabilities? Most importantly, how concerned should you be with misconfigurations?
What are security misconfigurations and why should we be concerned about them?
Security misconfigurations are anything that may inadvertently increase the risk of an attack on your company’s security applications. The commonality in these vulnerabilities is that none of them are necessary for the application to run, but they can all do their part in compromising your network, usually via human misconfiguration. This could be due to a multitude of causes, including unnecessary ports being left open or software being left out of date.
The OWASP Top 10 describes the following in their list of what constitutes a security misconfiguration:
- Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
- Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges).
- Default accounts and their passwords are still enabled and unchanged.
- For upgraded systems, the latest security features are disabled or not configured securely.
- The server does not send security headers or directives, or they are not set to secure values.
- The software is out of date or vulnerable.
How to find and manage security misconfiguration vulnerabilities
All of these vulnerabilities should be easily preventable, so how do we find and manage them? One of the easiest ways to find these vulnerabilities is to scan the application regularly.
The scan will reveal most common security misconfigurations such as missing headers, out-of-date software, operating systems, and more. It’s also a good idea to get a web application penetration test in order to identify deeper issues and confirm any findings the scan may have found. These types of tests will reveal any default credentials, any unnecessary pages or services being hosted, and more.
Once the scan and test have been completed, these will alert you to the vast majority of your application’s security holes. This gives you the ability to not only identify vulnerabilities, but also categorize them in order of severity. It will also give you a framework to where remediation efforts should be focused most.
How would an attacker be able to use these types of vulnerabilities to attack your application?
Security misconfigurations have a wide range of severity. For example, a mildly outdated webserver may be vulnerable to some small compromises, but a very outdated webserver could enable more severe and long-term issues. Due to the variety of these errors, it’s sometimes hard to predict what can be done to prevent them.
An attacker could exploit any of these types of vulnerabilities to learn more about the application, and potentially gain access via default credentials, or get SQL injection or a web shell via outdated software that enables remote code execution, a very severe issue that can give the attacker complete control of your applications. That being said, all of these vulnerabilities are preventable.
In order to prevent these, we must take our vulnerability scan and testing results and remediate the findings. Luckily, this class of vulnerabilities are also some of the most straight forward to fix sometimes consisting of just a patch alone.
How to fix security misconfigurations
As a part of your web application penetration test report, you may get some broad remediation instructions and any security misconfigurations identified will likely need to be changed.
For example, if a finding was that you have a verbose error page that is disclosing full file paths and internal IP addresses, you could redirect to a custom 404 page and only log the verbose error for internal use.
Security misconfigurations are very prevalent and easy to slip through the cracks. However, not all is lost. These vulnerabilities also are some of the easiest to identify and fix. Remediating any specific findings and staying on top of patching will make your application free of common security misconfigurations.