free web tracker
Get Quote

Serving Industries Worldwide

Innovative Ways - Satisfied Clientele

OWASP Vulnerability: Security Misconfiguration

iFour Team - 4 Aug 2017

alt text
Today’s web application is much more complex than they were in the past. These applications developed by web development companies have numerous layers due to which it increases the surface for any potential attack. During the development, deployment, ongoing use, and maintenance process of the web application, it is very important that proper security safeguards are kept by software development companies to reduce any potential ends for exploitation. We need to ensure that the security settings are configured and are checked frequently to protect an organization’s assets.

HOW CAN THE VULNERABILITY BE COMPROMISED?

As security misconfiguration is a broad category it is one of the common vulnerabilities found in web applications and are hence very easily manipulated too. Web applications are built on multiple layers and hence making mistakes in the configuration in one of the layers is quite common.

The vulnerability can be compromised in the following ways:

  • Application server allows stack traces to be returned to the users, specially displays error messages which relieve extra information about the details of the system.
  • Application servers comes with sample apps that are not secured and if these are not removed from the production server that will result in compromising the server.
  • If the directory listing is not disabled on server and if the attacker gains access on the same then the attacker can very easily list directories and execute it.
  • It is also possible to gain access to the actual code which has all the custom code.

How you can discover security misconfigurations 

First you need to start looking over the system.

  • Are there any default accounts there? If yes then are their passwords changed regularly
  • If it is possible to put better security in the framework, are those possibilities chosen?
  • Does the error message reveal confidential information to the users?
  • Is there any unnecessary features included which can be removed?

AFFECTED ITEMS AND SEVERITY

Affected items: Server

Severity: High

The impact to the application varies and it depends on the nature of the misconfiguration.

DESCRIPTION

It is the fifth most critical web application security risk according to OWASO Top ten lists.

Security misconfiguration is nothing but incorrectly assembling the safeguards of the web application. Such risks occur when holes are left open in the framework by the developers, DBAs or the administrator. This can occur at any level such as web server, application server, platform, database, custom code or frameworks etc. Such misconfigurations can guide the hacker into the system and this could result in partial or total compromised system.

Attackers can easily find these vulnerabilities through default accounts, un-patched flaws, unprotected files, directories, unused web pages and many more.

RECOMMENDATIONS TO MITIGATE THE RISKS (AVOID/ REDUCE/ TRANSFER THE RISKS)

Security misconfiguration is very easily exploitable but there are number of ways to prevent them. The developers should work with the administrators to make sure that the stack is properly configured.

Following are some of the recommendations for the industry experts:

  • Reduce the surface of the vulnerability with a repeatable process
  • Keep the software up to date
  • Disable all the default accounts and change passwords regularly
  • Develop strong app architecture and encrypt data which has sensitive information.
  • Make sure that the security settings in the framework and libraries are set to secured values.
  • Perform regular audits and run tools to identify the holes in the system
  • Use the same configuration for production, development and staging as inconsistencies opens the gate for many misconfigurations.
  • Automate the system wherever possible to avoid the human errors.

Testing for SQL Injection

Using the Burp suite to Test Security Misconfiguration Issues

Firstly ensure that burp suite is configured to your browser

Keep intercept off in the Proxy tab

DNN software development in india

Now open the page of the web application you want to test.

OWASP Vulnerability

Now go to burp and select the ‘target’ tab and click on ‘site map’

Locate your application’s name there and choose one of the directories randomly whic the user can access in the application. Here eg. Add attachment.

Click on the link and press spider the branch.

OWASP Vulnerability

Select one of the directories from the ‘site map’ and explore further.

Return to the browser and add the name of the directory to the URL eg.: https://...../addattachment/

Explore all the links, files and directories you are able to find.

OWASP Vulnerability

OWASP Vulnerability

Here you will see that the details of the server and other unnecessary information are displayed in the error message which could be a hole for the attacker to attack the system further.

Tags

.net .NET Core .NET Core vs .NET framework 3D Mobile Application Development AGILE Amazon API Android Angular Angular 7 Angular 7 features Angular 7 improvements Angular 7 updates Angular Framework Angular Js AngularJS asp.net ASP.Net Core ASP.Net Core Software Companies Augmented Reality aureliaJS Authentication in Ionic 4 AWS Azure AD backboneJS big data bitcoin Blockchain Blockchain Adoption Blockchain Archietecture Blockchain Component Blockchain Component and Consensus Mechanism Blockchain Component and Markel Tree Blockchain Consensus Algorithm Blockchain Consulting Blockchain Consulting Companies India Blockchain Development Blockchain Development Company Blockchain Development Cycle and Development Cycle Blockchain Distributed System and Distributed System Blockchain Healthcare Industry Blockchain Platforms blockchain software companies Blockchain Technology Blockchain technology and Blockchain software companies Blockchain Uses c# categories Chart FX Charting tools Cheque payments CMS Contract in Solidity crm Cross-Site Scripting Cryptocurrency custom software companies custom software development Custom software development in India DevExpress digital currency Digital India Digital locker Digital Payment DotNetNuke E-Governance ecommerce solution ecommerce solution providers EFTPOS payments eGovernance Ember Js emberJS Enterprise resource planning erp Ethereum Etherium Features of ASP.Net core Features of Node 12 Fusion Chart Google Assistant hadoop HDFS Helathcare Industry Highcharts Hybrid Mobile App Hyperledger and Quorum Improvement of Node 12 Infragistics Insecure direct object references insufficient attack detection Insurance Insurance Industry and Blockchain Technology in Insuranc Ionic 3 Ionic 3 vs Ionic 4 Ionic 4 Javascript JavaScript Add-in JavaScript frameworks JSON-RPC Kentico knockoutJS Ledger Technology Litecoin and Ri Meteor Js MeteorJS Microsoft Chart Mobile app development company mongodb MongoDB and Blockchain software companies Multichain Blockchain MVC MWS Nevron nHibernate Node 12 Node JS Node JS App Development Node JS Development Node JS Framework nodejs NodeJS Development NodeJS Technology NodeJS Web Development NopCommerce NoSQL Online payments ORM Parity Payment gateways Permissioned Blockchain PHP Frameworks POC polymerJS PowerShell private blockchain Project management public blockchain React React Framework React Js React vs Angular ReactJS SciChart SCRUM Secure web application Shopify SignalR Siri of apple Smart Contracts Software software development software outsourcing Software outsourcing companies india Solidity Supply Chain Management Technology News Telerik AppBuilder Telerik RadChart Top 10 PHP Frameworks Typescript uCommerce Umbraco Unvalidated Redirects and Forwards Use of Blockchain in Businesses vb.net Virto commerce Visual Studio Code VMO VSTO VSTO Add-in Vue Framework Vue Js Vue.js vueJS web application security Web Designing Web development Web software development companies Xamarin Znode


category

recent post

  • 18 Oct 2019 Introduction Blockchain technology has penetrated deep into several... [ more ]
  • 16 Oct 2019 Introduction: "In early April, Node published version 12 (codename... [ more ]
  • 28 Sep 2019 Ionic 4 is using Angular Routing, so it becomes very simple to add... [ more ]

archive