OWASP Top 10: Security Misconfiguration (A6:2017)

5th August 2020 ‧ By Simon Bell ‧ Category: Web Application Security

4 min read

This is part of the OWASP Top 10 series covering the top 10 most critical web application security risks. If you've missed any of the previous security risks, check out the intro and overview.

Risk rating

What is a security misconfiguration?

This is one of the most common causes of cyber security breaches. Security misconfiguration may occur due to any number of reasons such as using default settings or displaying excessively verbose -- and therefore not user friendly -- error messages.

It could also be that certain settings are presumed to be secure when they are not. This might happen, for example, when settings become outdated. Such a misconfiguration could allow someone to gain access to the system, leaving the system compromised.

Security misconfigurations are often seen as an easy target by attackers. Misconfigurations can be easy to detect and therefore easy to exploit. So it's important to understand how to detect them and prevent systems from being compromised.

Examples of security misconfiguration

Let's say Alice has a new broadband router installed. She leaves the default settings as they are and connects her devices to the router (phone, laptop, TV, etc). The router might not have a WiFi key set and its default username and password could be admin and 123456 -- or there might not be a username and password at all. Mallory notices Alice's insecure WiFi network and connects to it. Now Mallory can access Alice's network and it won't require much effort for Mallory to access the admin settings.

In another example, Bob has setup a new server to host his website. His server's default configuration displays directory contents. Mallory visits Bob's website and views the contents of the directories. She discovers some configuration files and downloads them. These configuration files contain the credentials for the database. Mallory can now compromise the database and the server.

In another example, Bob's new server also displays detailed error messages. When browsing Bob's website, Mallory visits a page which contains an error. The error message contains a lot of information about Bob's server including locations of files, server environment, stack traces, etc. This exposes sensitive information about Bob's server and may help Mallory detect weaknesses such as components with known vulnerabilities.

What's the impact of security misconfiguration?

A security misconfiguration may allow unauthorised access to an application and its underlying server. Depending on the misconfiguration, this could result in a system compromise. Something as simple as a detailed error message may give an attacker enough information to conduct a more sophisticated attack.

How to defend against security misconfiguration

Define a security policy that explicitly sets security configurations for the requirements of the organisation. This policy should be implemented in a repeatable manner so it can be applied to all systems, devices, and environments. This ensures any new components added to the system -- such as with scalable systems -- will also have the required security configurations.

The security policy, and security configurations, should be applied to all environments including development, QA, testing, and production. Different credentials should be used in different environments. This process should be automated to ensure consistency and minimise any potential errors that could arise from manual human configuration.

Ensure the system and environment is setup with the minimum requirements and features. Remove any unnecessary or unused features and frameworks. This will mitigate any unused or unknown features that may not have been included in the configuration process.

Regularly review the security policy and security configurations. This is particularly important as the threat landscape evolves and new threats emerge. Previously secure components may contain newly discovered vulnerabilities, so these should be patched and reconfigured as appropriate.

The application infrastructure and architecture should be securely segmented -- ensuring separation between components and tenants. This ensures any potential vulnerability in one section should reduce the impact on other sections. This can be achieved through architecture design such as containerisation, segmentation, cloud security groups, access control lists (ACLs) etc.

Some security misconfigurations can be automatically scanned and detected as part of a regular auditing process. This should always be carried out by a qualified and trained professional.

More on OWASP Top 10

• OWASP Top 10: Intro
• OWASP Top 10: Injection (A1:2017)
• OWASP Top 10: Broken Authentication (A2:2017)
• OWASP Top 10: Sensitive Data Exposure (A3:2017)
• OWASP Top 10: XML External Entities (XXE) (A4:2017)
• OWASP Top 10: Broken Access Control (A5:2017)
• OWASP Top 10: Security Misconfiguration (A6:2017)
• OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)
• OWASP Top 10: Insecure Deserialisation (A8:2017)
• OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)
• OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)