2017 OWASP A6 Update: Security Misconfiguration
The Open Web Application Security Project (OWASP) is a volunteer group whose goal is to build a more robust Internet. One of their flagship publications is the Ten Most Critical Web Application Security Risks list, which was reviewed and republished last year. The 2017 list is the first major update since 2013; it went through two drafts and public review before the final version was released in November 2017.
Security misconfiguration ranked sixth in 2017 — dropping one rank from number five in the 2013 list. It is still one of the most exploitable vulnerabilities because it is so widespread.
How Can I Detect a Security Misconfiguration?
This type of vulnerability runs across the entire stack, as it includes passwords that are easy to guess (or set to default), software that is out of date, unencrypted files or databases and extra features that are unnecessarily enabled.
To detect these misconfigurations, it is recommended you scan the site using some sort of software (a popular open source tool for Linux is Security Onion). This should help eliminate default account settings and software, as well as hardware issues.
How Can I Prevent Security Misconfiguration?
OWASP urges businesses to start thinking about security at the very beginning of site development, including creating an infrastructure with separate secure areas and different levels of permissions. Everyone involved, including admins and developers, must adhere to a strict set of security protocols.
Another important step is to automatically configure secure settings at every step of the process, including staging, development and production; updates or patches to software and firmware should be rolled out across the entire network at once.
How Are Security Misconfigurations Used In Attacks?
One of the most basic — and often effective — tactic is the brute force password attack. As the name implies, a bot will attempt to log in using many different combinations of numbers and letters until it “cracks” a password. Depending on the length/complexity of the password, this can take seconds or years. These attacks are on the rise again; in December 2017, a brute force attack against sites using WordPress was launched, at one point reaching 14 million attacks per hour.
Another common attack is examining error messages, such as those returned on a 404 page. Servers that send out full error messages, such as directory structures and types of application layers, can give hackers all the clues they need to break in. A notorious example of this is from 2013 when spy agency NSA used error messages to hack into Microsoft.
More clever tactics involve finding a weak link within a network, such as one with default apps installed but unused. The vulnerabilities in these apps can then be exploited to grant access to the larger network.
As more devices go online with the Internet of Things (IoT), it creates further possibilities for security breaches. In July 2017, a North American casino had data stolen via a “smart” fish tank with insecure access to the Internet.
How Can I Learn More About Server Misconfigurations?
Infosec Institute offers secure-coding training modules for developers through its security awareness training platform, SecurityIQ, including a module on server configuration.
The platform includes training for every vulnerability included in OWASP’s 2017 list, as well as over 200 additional security awareness training modules for all employee levels and roles. Sign up for a free SecurityIQ account to preview the content today.
If you’d like to learn more about detecting web vulnerabilities like server misconfigurations, check out InfoSec Institute’s Mobile and Web Application Penetration Testing Boot Camp.