Scribd
Upload
114 views

Security Misconfiguration v2

Security Misconfiguration occurs when security issues arise from misconfiguring server or application software. Default passwords and unused services can enable attacks, potentially exposing applications and data. To prevent this, organizations should define secure configurations, automate deployment, keep software updated, and conduct scans and audits regularly.

Uploaded by

erick
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
114 views

Security Misconfiguration v2

Security Misconfiguration occurs when security issues arise from misconfiguring server or application software. Default passwords and unused services can enable attacks, potentially exposing applications and data. To prevent this, organizations should define secure configurations, automate deployment, keep software updated, and conduct scans and audits regularly.

Uploaded by

erick
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Security Misconfiguration

OWASP Web App Top 10

by Secure Code Warrior Limited is licensed under CC BY-ND 4.0


What is it?
“Security Misconfiguration” occurs
when security issues arise as a
result of a misconfiguration in the
server or the application software.

What causes it?


Misconfiguration happens when no
secure configuration has been applied
to the frameworks, application server,
web server, database server, or
platform of the web application.
What could happen?
Since configuration happens at so
many levels, many attacks are
possible. Default admin passwords
could be abused to expose the
application and database. Running
unused services could provide an
entry point which an attacker can use How to prevent it?
to take over the application server.
Secure settings should be defined,
implemented and maintained.
Software should be kept up to date.
Automated scanners can help detect
misconfigured parts of the system.
Security Misconfiguration
Understanding the security vulnerability

Default accounts and passwords

A web application has a An attacker, looking for a Knowing the application’s The attacker successfully
pre-installed admin console way in, analyzes the web framework, it’s easy for the submits the default
that hasn’t been disabled. application. Eventually he attacker to lookup the credentials and logs in as
Although the admin page is not finds the admin page. default password. administrator. He has
linked to from the main access to all user accounts.
application, it can be found
under ‘/admin’.

Scanning…
https://site.com/admin

Login
Login: admin
Password: admin
changeme
Passwor
d*********
Web
Application
Security Misconfiguration
Understanding the security vulnerability

Debugging information enabled.

A web application is An attacker is trying to Eventually, he’s able to provoke The disclosed internal
running with debugging exploit vulnerabilities by an error. Detailed information information will help
features enabled: debug feeding the application about the error is shown on the the attacker with
info is logged to the users. special input. output, since the application mounting a successful
allows it. attack.

Login: user“‘*”’(* password: xxx

Warning: mysql_fetch_array() expects parameter 1


to be resource, boolean given in
/home/web/rooms-dispo.org/ftp/www/netblink/00
4-1/index.php on line 5

Web
Application
Security Misconfiguration
Realizing the impact

Since configuration happens at many levels, many


attacks with varying impacts are possible.

A forgotten service could lead to system


takeover, leading to system unavailability,
reputation damage and financial loss.

A default admin password could lead to the theft


of user accounts, resulting in privacy violation,
reputation damage and financial loss.
Security Misconfiguration
Preventing the mistake

Define ‘secure settings’ and implement a process to


deploy them on all the parts of the system.
Easy to deploy, consistent across environments, automated.

Ensure that a strong application architecture is put in place.


Effective, secure separation between components.

Run automated scans and do audits on a regular basis.

Implement a process to keep all software up to date.


See also “Using Known Vulnerable Components”.

You might also like