Security misconfiguration is the fifth vulnerability on OWASP‘s list of the ten most common vulnerabilities. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their Top 10 list one by one in our OWASP Top 10 blog series.
If a component is susceptible to attack due to an insecure configuration it would classify as security misconfiguration. This is considered the same vulnerability regardless of whether the misconfiguration occurs in the web server, database or in custom code.
As security misconfiguration is such a broad category, it is a very common vulnerability. A web application is built upon multiple layers and making a configuration mistake in one of them is quite likely.
The impact varies and depends on the specific kind of misconfiguration. At worst, it could lead to a full takeover, which means stolen sensitive data and expensive recovery.
In many cases this is one of the easiest vulnerabilities to exploit. For example, if a system admin forgets to delete a default account with admin privileges, all an attacker has to do is to simply google the default credentials to login.
Of course, there are more difficult versions of this vulnerability out there that require more knowledge. All misconfigurations do not result in a possible full takeover, but may be used as part of a bigger attack.
Werkzeug Debugger included a console, allowing a user to execute system commands. Some exposed that interface to the internet, which would result in an RCE (remote code execution). An example of this that has received a lot of attention is when we found this vulnerability at Patreon.
How to discover
The only way to discover security misconfigurations is to start looking over the system.
- Are any default accounts left, and if so, have the passwords been changed?
- When it is possible to enforce better security in a framework, are those options chosen?
- Are there any unnecessary features installed/enabled that can be removed? This includes accounts, too many privileges, ports, etc.
- Does the error handling reveal overly informative error messages to users? This is one of the most common issues.
How Disposable mail can help with security misconfiguration
Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used in both staging and production. Sign up for a free trial to find out if you are vulnerable »
Example of vulnerable application
A great example that helps understand this issue is the aforementioned Patreon case. There is often some feature allowing debugging the system. If that feature is exposed towards the internet and not behind any authorisation, any user could abuse it.
- Make sure everything is updated. When building the system, make it easy to deploy software updates and patches.
- Use the same configuration for staging, production and developing environments. Many misconfigurations are the result of inconsistencies.
- Humans are good at making mistakes, which is why you should automate what can be automated. If the same setup procedure is performed often, it is better to make sure it is secure once and then just repeat it.
- Perform scans and/or audits regularly to discover future misconfigurations.
- When possible, configure the system with the thought in mind that the system will get compromised because that is very likely. In case of a security breach, an attacker should only be able to do very little damage.
How Patreon got Hacked: Publicly Exposed Werkzeug Debugger