OWASP Vulnerability: Security MisconfigurationiFour Team - 4 Aug 2017
web applicationis much more complex than they were in the past. These applications developed by software development companies to reduce any potential ends for exploitation. We need to ensure that the security settings are configured and are checked frequently to protect an organization’s assets.
HOW CAN THE VULNERABILITY BE COMPROMISED?
As security misconfiguration is a broad category it is one of the common vulnerabilities found in web applications and are hence very easily manipulated too. Web applications are built on multiple layers and hence making mistakes in the configuration in one of the layers is quite common.
The vulnerability can be compromised in the following ways:
- Application server allows stack traces to be returned to the users, specially displays error messages which relieve extra information about the details of the system.
- Application servers comes with sample apps that are not secured and if these are not removed from the production server that will result in compromising the server.
- If the directory listing is not disabled on server and if the attacker gains access on the same then the attacker can very easily list directories and execute it.
- It is also possible to gain access to the actual code which has all the custom code.
How you can discover security misconfigurations
First you need to start looking over the system.
- Are there any default accounts there? If yes then are their passwords changed regularly
- If it is possible to put better security in the framework, are those possibilities chosen?
- Does the error message reveal confidential information to the users?
- Is there any unnecessary features included which can be removed?
AFFECTED ITEMS AND SEVERITY
Affected items: Server
The impact to the application varies and it depends on the nature of the misconfiguration.
It is the fifth most critical web application security risk according to OWASO Top ten lists.
Security misconfiguration is nothing but incorrectly assembling the safeguards of the web application. Such risks occur when holes are left open in the framework by the developers, DBAs or the administrator. This can occur at any level such as web server, application server, platform, database, custom code or frameworks etc. Such misconfigurations can guide the hacker into the system and this could result in partial or total compromised system.
Attackers can easily find these vulnerabilities through default accounts, un-patched flaws, unprotected files, directories, unused web pages and many more.
RECOMMENDATIONS TO MITIGATE THE RISKS (AVOID/ REDUCE/ TRANSFER THE RISKS)
Security misconfiguration is very easily exploitable but there are number of ways to prevent them. The developers should work with the administrators to make sure that the stack is properly configured.
Following are some of the recommendations for the industry experts:
- Reduce the surface of the vulnerability with a repeatable process
- Keep the software up to date
- Disable all the default accounts and change passwords regularly
- Develop strong app architecture and encrypt data which has sensitive information.
- Make sure that the security settings in the framework and libraries are set to secured values.
- Perform regular audits and run tools to identify the holes in the system
- Use the same configuration for production, development and staging as inconsistencies opens the gate for many misconfigurations.
- Automate the system wherever possible to avoid the human errors.
Testing for SQL Injection
Using the Burp suite to Test Security Misconfiguration Issues
Firstly ensure that burp suite is configured to your browser
Keep intercept off in the Proxy tab
Now open the page of the web application you want to test.
Now go to burp and select the ‘target’ tab and click on ‘site map’
Locate your application’s name there and choose one of the directories randomly whic the user can access in the application. Here eg. Add attachment.
Click on the link and press spider the branch.
Select one of the directories from the ‘site map’ and explore further.
Return to the browser and add the name of the directory to the URL eg.: https://...../addattachment/
Explore all the links, files and directories you are able to find.
Here you will see that the details of the server and other unnecessary information are displayed in the error message which could be a hole for the attacker to attack the system further.