Get Quote

Serving Industries Worldwide

Innovative Ways - Satisfied Clientele

OWASP Vulnerability: Security Misconfiguration

iFour Team - 4 Aug 2017

Listening is fun too.

Straighten your back and cherish with coffee - PLAY !

 
 

Owasp Vulnerability
Today’s

web application

is much more complex than they were in the past. These applications developed by

web development companies

have numerous layers due to which it increases the surface for any potential attack. During the development, deployment, ongoing use, and maintenance process of the web application, it is very important that proper security safeguards are kept by software development companies to reduce any potential ends for exploitation. We need to ensure that the security settings are configured and are checked frequently to protect an organization’s assets.

Table of Content

HOW CAN THE VULNERABILITY BE COMPROMISED?

As security misconfiguration is a broad category it is one of the common vulnerabilities found in web applications and are hence very easily manipulated too. Web applications are built on multiple layers and hence making mistakes in the configuration in one of the layers is quite common.

The vulnerability can be compromised in the following ways:

  • Application server allows stack traces to be returned to the users, specially displays error messages which relieve extra information about the details of the system.
  • Application servers comes with sample apps that are not secured and if these are not removed from the production server that will result in compromising the server.
  • If the directory listing is not disabled on server and if the attacker gains access on the same then the attacker can very easily list directories and execute it.
  • It is also possible to gain access to the actual code which has all the custom code.

How you can discover security misconfigurations 

First you need to start looking over the system.

  • Are there any default accounts there? If yes then are their passwords changed regularly
  • If it is possible to put better security in the framework, are those possibilities chosen?
  • Does the error message reveal confidential information to the users?
  • Is there any unnecessary features included which can be removed?
 

Read More: Owasp Vulnerability: Missing Function Level Access Control

 

AFFECTED ITEMS AND SEVERITY

Affected items: Server

Severity: High

The impact to the application varies and it depends on the nature of the misconfiguration.

DESCRIPTION

It is the fifth most critical web application security risk according to OWASO Top ten lists.

Security misconfiguration is nothing but incorrectly assembling the safeguards of the web application. Such risks occur when holes are left open in the framework by the developers, DBAs or the administrator. This can occur at any level such as web server, application server, platform, database, custom code or frameworks etc. Such misconfigurations can guide the hacker into the system and this could result in partial or total compromised system.

Attackers can easily find these vulnerabilities through default accounts, un-patched flaws, unprotected files, directories, unused web pages and many more.

RECOMMENDATIONS TO MITIGATE THE RISKS (AVOID/ REDUCE/ TRANSFER THE RISKS)

Security misconfiguration is very easily exploitable but there are number of ways to prevent them. The developers should work with the administrators to make sure that the stack is properly configured.

Following are some of the recommendations for the industry experts:

  • Reduce the surface of the vulnerability with a repeatable process
  • Keep the software up to date
  • Disable all the default accounts and change passwords regularly
  • Develop strong app architecture and encrypt data which has sensitive information.
  • Make sure that the security settings in the framework and libraries are set to secured values.
  • Perform regular audits and run tools to identify the holes in the system
  • Use the same configuration for production, development and staging as inconsistencies opens the gate for many misconfigurations.
  • Automate the system wherever possible to avoid the human errors.

Testing for SQL Injection

Using the Burp suite to Test Security Misconfiguration Issues

Firstly ensure that burp suite is configured to your browser

Keep intercept off in the Proxy tab

DNN software development in india

Now open the page of the web application you want to test.

OWASP Vulnerability

Now go to burp and select the ‘target’ tab and click on ‘site map’

Locate your application’s name there and choose one of the directories randomly whic the user can access in the application. Here eg. Add attachment.

Click on the link and press spider the branch.

OWASP Vulnerability

Select one of the directories from the ‘site map’ and explore further.

Return to the browser and add the name of the directory to the URL eg.: https://...../addattachment/

Explore all the links, files and directories you are able to find.

OWASP Vulnerability

OWASP Vulnerability

 

Looking to Hire Dedicated ASP.Net Developer ?

Contact Now

Here you will see that the details of the server and other unnecessary information are displayed in the error message which could be a hole for the attacker to attack the system further.

Owasp Vulnerability
Today’s

web application

is much more complex than they were in the past. These applications developed by

web development companies

have numerous layers due to which it increases the surface for any potential attack. During the development, deployment, ongoing use, and maintenance process of the web application, it is very important that proper security safeguards are kept by software development companies to reduce any potential ends for exploitation. We need to ensure that the security settings are configured and are checked frequently to protect an organization’s assets.

Table of Content

HOW CAN THE VULNERABILITY BE COMPROMISED?

As security misconfiguration is a broad category it is one of the common vulnerabilities found in web applications and are hence very easily manipulated too. Web applications are built on multiple layers and hence making mistakes in the configuration in one of the layers is quite common.

The vulnerability can be compromised in the following ways:

  • Application server allows stack traces to be returned to the users, specially displays error messages which relieve extra information about the details of the system.
  • Application servers comes with sample apps that are not secured and if these are not removed from the production server that will result in compromising the server.
  • If the directory listing is not disabled on server and if the attacker gains access on the same then the attacker can very easily list directories and execute it.
  • It is also possible to gain access to the actual code which has all the custom code.

How you can discover security misconfigurations 

First you need to start looking over the system.

  • Are there any default accounts there? If yes then are their passwords changed regularly
  • If it is possible to put better security in the framework, are those possibilities chosen?
  • Does the error message reveal confidential information to the users?
  • Is there any unnecessary features included which can be removed?
 

Read More: Owasp Vulnerability: Missing Function Level Access Control

 

AFFECTED ITEMS AND SEVERITY

Affected items: Server

Severity: High

The impact to the application varies and it depends on the nature of the misconfiguration.

DESCRIPTION

It is the fifth most critical web application security risk according to OWASO Top ten lists.

Security misconfiguration is nothing but incorrectly assembling the safeguards of the web application. Such risks occur when holes are left open in the framework by the developers, DBAs or the administrator. This can occur at any level such as web server, application server, platform, database, custom code or frameworks etc. Such misconfigurations can guide the hacker into the system and this could result in partial or total compromised system.

Attackers can easily find these vulnerabilities through default accounts, un-patched flaws, unprotected files, directories, unused web pages and many more.

RECOMMENDATIONS TO MITIGATE THE RISKS (AVOID/ REDUCE/ TRANSFER THE RISKS)

Security misconfiguration is very easily exploitable but there are number of ways to prevent them. The developers should work with the administrators to make sure that the stack is properly configured.

Following are some of the recommendations for the industry experts:

  • Reduce the surface of the vulnerability with a repeatable process
  • Keep the software up to date
  • Disable all the default accounts and change passwords regularly
  • Develop strong app architecture and encrypt data which has sensitive information.
  • Make sure that the security settings in the framework and libraries are set to secured values.
  • Perform regular audits and run tools to identify the holes in the system
  • Use the same configuration for production, development and staging as inconsistencies opens the gate for many misconfigurations.
  • Automate the system wherever possible to avoid the human errors.

Testing for SQL Injection

Using the Burp suite to Test Security Misconfiguration Issues

Firstly ensure that burp suite is configured to your browser

Keep intercept off in the Proxy tab

DNN software development in india

Now open the page of the web application you want to test.

OWASP Vulnerability

Now go to burp and select the ‘target’ tab and click on ‘site map’

Locate your application’s name there and choose one of the directories randomly whic the user can access in the application. Here eg. Add attachment.

Click on the link and press spider the branch.

OWASP Vulnerability

Select one of the directories from the ‘site map’ and explore further.

Return to the browser and add the name of the directory to the URL eg.: https://...../addattachment/

Explore all the links, files and directories you are able to find.

OWASP Vulnerability

OWASP Vulnerability

 

Looking to Hire Dedicated ASP.Net Developer ?

Contact Now

Here you will see that the details of the server and other unnecessary information are displayed in the error message which could be a hole for the attacker to attack the system further.

Leave Comments

Tags

.net .Net 5 .Net Applications .NET Core .Net Core 3.0 .Net Core Developer .Net Core Development .Net Core Libraries .NET Core vs .NET framework .Net Development .Net Development Tools .Net Framework 4.8 .Net Framework 5.0 .Net Localization .Net Productivity .Net Software Development .Net Trends .Net Web Development .Net5 3D Mobile Application Development Accounting Software Accounting Software for Medium Enterprises Accounting Software for Small Businesses Action Filters in ASP.Net Action Filters in Asp.Net Core Adoption of ar in Instagram Advanced SEO Techniques AGILE Agile Management AI AI Solutions Amazon API Android Android App Development Angular Angular 11 Angular 2+ Angular 7 Angular 7 features Angular 7 improvements Angular 7 updates Angular 9 Angular 9 Cons Angular 9 Features Angular 9 Pros Angular Animations Angular App Development Angular Application Development Angular CLI Angular Development Angular Framework Angular Js Angular Localization Angular Localization with Ivy Angular RxJS Angular vs AngularJS AngularJS AngularJS Development App Development App Store Optimization App Themes for Xamarin.forms Application Development Artificial Intelligence ASO asp.net ASP.Net App Development ASP.Net CMS ASP.Net CMS for Web Development ASP.Net Core ASP.Net Core 3.0 ASP.Net Core API ASP.Net Core API with Entity Framework ASP.Net Core Development ASP.Net Core Improvements ASP.Net Core Software Companies ASP.Net Development ASP.Net Swagger ASP.Net vs ASP.Net Core asp.net web application Augmented Reality aureliaJS Authentication in .Net5 Authentication in Ionic 4 Authentication in Swagger .Net5 Autowire in WPF Aviation Aviation Software Development AWS AWS Cloud Platform Azure Azure AD Azure Cloud Platform Azure SDK Azure SDK Architecture Azure vs AWS Azure Web App backboneJS Backend Services Backend Services using HTTP Backend Technology Best CRM Tools Best Platform for eCommerce Development big data Big Data Analytics Binding in WPF bitcoin Blazor Blazor Web Assembly Blockchain Blockchain Adoption Blockchain Archietecture Blockchain Component Blockchain Component and Consensus Mechanism Blockchain Component and Markel Tree Blockchain Consensus Algorithm Blockchain Consulting Blockchain Consulting Companies India Blockchain Development Blockchain Development Company Blockchain Development Cycle and Development Cycle Blockchain Distributed System and Distributed System Blockchain Healthcare Industry Blockchain Platforms blockchain software companies Blockchain Technology Blockchain technology and Blockchain software companies Blockchain Uses Boilerplate Boilerplate Entity Framework Brand Awareness Brand Visibility Build Angular Applications c# C# 9 C# Development C# Markup C# Software Development C# Web Development categories Challenges in Magento Migration Challenges with Cloud Migration Change Detection in Angular Chart FX Charting tools Cheque payments Choose between Azure and AWS Class Library in .Net Core Cloud Cloud Migration Cloud Platform Cloud Revolutionizing Cloud Services Cloud Technology CMS Code Generation Code Management Code Management Software Command Query Responsibility Segregation Common Cloud Migration Challenges Common Mistakes of Guest Blogging Common SEO Mistakes Configuring ESLint in Angular 11 Construction Construction Software Development Content Management System Contract in Solidity Copyright Registrat Copyright Registration Copyright Registration for Games Copyright Registration for IT Products Copyright Registration for Software COVID-19 Pandemic CQRS Create a Shared Library in .Net Core Create Login using SQLite Database crm Cross Platform Web Apps Cross-Site Scripting Cryptocurrency csrf csrf in asp.net csrf in asp.net web applications Custom Angular Schematics Custom Education Software Development Custom Environment Software Development Custom Software Benefits custom software companies custom software development Custom software development in India Custom Software Solutions Data Security database database backup database backup strategy DataContext in WPF DBA Deadly SEO Mistakes Debug Time Productivity Debugging Tools of C# Deep Zoom in Wpf Dependency Injection Dependency Injection in Asp.Net Core Design Patterns in C# DevExpress DevOps DevOps Tools Different Ways of Binding in WPF digital currency Digital India Digital locker Digital Payment Docker Docker in NodeJS DotNetNuke E-Governance E-learning Development eCommerce eCommerce Development eCommerce Platform ecommerce solution ecommerce solution providers eCommerce Solutions eCommerce Tools eCommerce Trends Education Development Education Technology Trends EFTPOS payments eGovernance ELMAH Email Marketing Email Marketing Tips Ember Js emberJS Emer Emerging eCommerce Trends Emerging Technology Trends for Constructi Encrypted Session Data Encrypted Session Data in Browser Encryption in Asp.Net Core Enterprise resource planning Enterprise Software Outsourcing Entertainment Industry Entertainment Software Development Entity Framework Environment Environment Software Development erp ERP Solutions ERP Solutions for Large Enterprises ERP Solutions for Small Enterprises ERP System Error Handling in Angular RxJS ESLint in Angular 11 Ethereum Etherium EventToCommand Behavior Evolution of NodeJS Excel Office Add-in Factors to Choose eCommerce Platform Fallback in WPF Features in Typescript 4.2 Features of ASP.Net core Features of Node 12 File Upload in Angular Finance Technology Trends Fleet Development Fleet Software Development Fleet Technology Trends Frontend Development Frontend Language Frontend Technology Fusion Chart Future of Mobile App Development Companies Future of Telemedicine Garbage Collector Changes Garbage Collector Changes in .Net Gas Delivery App Git Experience Globalization in .Net Core Google Assistant Grow your Online Business gRPC gRPC in .Net Core Guest Blogging hadoop Handling Errors in .Net Core Hangfire in .Net Hashing in Asp.Net Core HDFS Healthcare Healthcare Applications Healthcare Development Healthcare Technology Trends Healthcare Trends Helathcare Industry Highcharts Hire ASP.Net Developer Hire Software Developer Hire Web Developer Hospitality Hospitality Development Hospitality Technology Trends How to Create a Shared Library in .Net How to Improve Debug Time Productivity How to Store Encrypted Session Data in Browser HTTP Hybrid Mobile App Hybrid Mobile App Development Hyperledger and Quorum IaaS Ideas to Build MVP Implement File Upload in Angular Improvement of Node 12 Improvements to XAML Tooling Infragistics Insecure direct object references Instagram insufficient attack detection Insurance Insurance Industry and Blockchain Technology in Insuranc Introduction of .Net 5 Introduction of C# 9 Introduction of Deep Zoom Introduction of Deep Zoom in Wpf Introduction to Azure Introduction to Azure SDK Architecture Ionic 3 Ionic 3 vs Ionic 4 Ionic 4 Javascript JavaScript Add-in Javascript based Excel Office Add-in JavaScript frameworks JSON-RPC Kentico knockoutJS Lead Generation Learning Management Systems Ledger Technology Legal Software Development Legal Technology Trends Linkedin Marketing LINQ Litecoin and Ri LMS Localization in .Net Core Login using SQLite Database Magento Migration Make Database Faster Make Database Secure Manifest in Office Add-in Marketing Marketing Platforms 2020 Marketing Strategies Marketing Strategies during Pandemic Marketing Strategies for Software Companies MEAN MEAN Stack Development MEAN vs MERN MERN Mern Stack Development Meteor Js MeteorJS Microsoft Azure Microsoft Chart Middleware in ASP.Net Core Migrating ESLint in Angular 11 Mini-Profiler in C# Minimize Downtime while WFH Minimize Productivity Loss Mobile App Development Mobile app development company Mobile App Development Ideas mongodb MongoDB and Blockchain software companies Multi Cloud Aoption Multichain Blockchain Multilingual in Xamarin Forms MVC MVC Development MVP MVP Development MVVM View Model MWS Need of Angular CLI Net Core Nevron New Features in Typescript 4.2 Ngstyle in Angular Ngx Infinite Scroller Ngx Infinite Scroller using Angular Application nHibernate Node 12 Node JS Node JS App Development Node JS Development Node JS Framework nodejs NodeJS 14 NodeJS Development NodeJS History NodeJS Technology NodeJS Web Development NopCommerce NoSQL Office Add-in Online payments Online Text Editors for Students ORM Outsource Business Outsource Web Development Outsourcing Development Services Outsourcing Projects PaaS Page Navigation in Xamarin.Forms Parity Payment gateways performance improvements in .net 5 Permissioned Blockchain PHP Frameworks Plugins in Xamarin POC Podcast SEO polymerJS PowerShell Privacy and Security private blockchain Product Development Product Development Mistakes Product Software Development Product Technical Audit Programming Languages Project Brief Project management Project Management Mistakes Project Management Software Project Management Software Recommendations Project Management Tools Public APIs in ASP.Net Core public blockchain QA Quality Assurance Quality Assurance Strategies Questions for Software Developers Random in Asp.Net Core Razor Razor Pages Razor Pages Vs MVC Razor View Engine React React Framework React Js React vs Angular ReactJS Repository in .Net Core Repository in ASP.Net MVC Rise of SaaS Roslyn Routed Events Routed Events in WPF Routing in ASP.Net Core Routing in MVC RxJS RxJS Library SaaS SaaS Propositions SaaS vs IaaS vs PaaS Save Cost with Azure Save Cost with Microsoft Azure Schema Markup Schema Markup in SEO SciChart SCRUM SCRUM Implementation SCRUM Myths SCRUM Tools scrum workflow Secure ASP.Net Core Web App Secure web application Security Testing Security Testing in Healthcare Applications Security Tips for .Net App Development Security Tips for .Net Development Security Tips for eCommece Sell Products Online SEO SEO Marketing SEO Mistakes SEO Mistakes to Avoid SEO Techniques SEO Tips for Podcast SEO Tools Serilog in ASP.Net Core Setup Angular in System Shared Library Shared Library in .Net Core Shopify SignalR Simplifying Visual State Manager Simplifying Visual State Manager with Targetname Siri of apple Smart Contracts Software Software Audit Software Developer software development Software Development Agency Software Development Company Software Development Project plan Software Development Trends Software Monitoring Tools software outsourcing Software Outsourcing Agency Software Outsourcing Challenges Software outsourcing companies india Software Product Software Product KPIs Software Product Technical Audit Software Requirement Software Requirements Management Tips Software Technical Audit Solidity SPA in ASP.Net Core SQLite Database Store Encrypted Session Data in Browser Successful MVP Ideas Supply Chain Management Target Null Values in WPF Technology News Technology Trends Technology Trends for Aviation Development Technology Trends for Construction Industry Technology Trends for Entertainment Industry Technology Trends for Environment Industry Telerik AppBuilder Telerik RadChart Template based Code Generation Test Driven Development Test Driven Development in MVC Text Editors Tips for Managing Multiple Projects Top 10 PHP Frameworks Training Systems Treeview in WPF Tutoring Software Development Typescript Typescript 4.2 uCommerce Umbraco Understand @output in Angular Understand eventemitter in Angular Understand Routed Events in WPF Unit Testing Middleware Unvalidated Redirects and Forwards Upgrade .Net Framework 4.8 application to .Net Framework 5.0 Usability Use Microsoft Azure Use of Blockchain in Businesses Useful Plugins in Xamarin User-Friendliness Using LINQ in .Net Core Validation Tag Helpers in .Net Core vb.net VB.Net Development Verify OTP in Android Verify OTP in Android without SMS Read Permission Video Conferencing Software Development Virto commerce Visual State Manager Visual State Manager with Targetname Visual Studio Visual Studio 2019 Visual Studio 2019 Version 16.7 Visual Studio Code Visual Studio Extensions VMO VSTO VSTO Add-in Vue Framework Vue Js Vue.js vueJS WCF Development web api web application security Web Apps in Azure Web Designing Web Developer Web Developer Skills Web development Web Development Company Web Development Trends Web Security Tips Web software development companies what is Angular 9 What is New in .Net 5 What is New in Angular 11 What is Treeview in WPF What is XML Manifest Why Hire Software Development Agency Word Add-in Word Add-in with Angular 2+ Work from Home WPF WPF Application WPF D WPF Development WPFDevelopment Write Software Development Project Plan Xamari.forms Xamarin Xamarin Android xamarin app theme xamarin authentication Xamarin Development Xamarin Forms Xamarin Forms 5.0 xamarin permission Xamarin UI Control xamarin.essentials Xamarin.forms XAML Developer Tools XAML Developer Tools for UWP XAML Developer Tools for WPF XAML Developer Tools in Visual Studio 2019 XAML Tooling XML XML Manifest YouTube Marketing YouTube Marketing Tips Znode


category

recent post

  • 5 Mar 2021 Table of Content 1. What is ASP.NET? 2. What are Razor... [ more ]
  • 4 Mar 2021 Xamarin is an open-source platform to develop Cross-platform and... [ more ]
  • 3 Mar 2021 Since the beginning of Visual Studio 2019, the visual studio has introduced... [ more ]

archive

Copyright 2021 iFour Technolab Pvt. Ltd. all the rights reserved.