OWASP Top Ten – Security Misconfiguration

An open gate.

What exactly is a Security Misconfiguration? It seems kind of nebulous, right? Well, that’s because it is. This vulnerability covers a wide range of issues that are some of the most prevalent in the wild and manifests in different forms—unnecessary default settings, overly verbose error handling, and unprotected files and directories, to name a few. Our latest entry in this series aims to delve into the complexities of security misconfiguration, offering real-world examples and discussing some widely found hacks related to this particular risk.

What is Security Misconfiguration?

Security misconfiguration occurs when a device, application, or any part of an IT system is set up in such a way that it leaves it vulnerable to unnecessary risks. Often, this happens when security settings are defined, deployed, and maintained in their default configurations, or when unnecessary features are enabled.

Common Instances of Security Misconfiguration

  • Unpatched systems
  • Unused web pages
  • Unnecessary services running on machines
  • Default credentials
  • Unprotected files and directories
  • Overly detailed error messages

The Real World

When doing internal penetration tests, Brackish Security testers frequently run across services utilizing default credentials. We can understand how this happens. Admins set something up, or another department installs something, and they either figure that since it is facing internally it isn’t a problem. Well, it is a problem.

Frequently, we have come across HVAC systems or UPS systems with default credentials. This would allow an attacker to control heating, air conditioning, and power to rooms and equipment that are sometimes very sensitive.

Here is a blog post from nearly a decade ago about baby monitors getting “hacked” due to default credentials. The usage of default credentials is a story nearly as old as the Internet itself, but things are improving. Many commercial and open-source applications and hardware are now generating random passwords upon installation, or even printing unique passwords on stickers or manuals in the case of commercial products.

Besides deafult credentials, another security misconfiguration is the presence of unused web pages, files, and directories. This is a tried and true bread and butter of attackers. Attackers will use tools such as Gobuster or FFUF and wordlists to sends thousands of requests to a web server in search of files and directories that should not be exposed.

Not only can sensitive files be disclosed, but hidden functionality or directories can also be found. Brackish Security researchers have recently found multiple instances of remote code execution after utilizing the tools above to locate where uploaded files were stored. This allowed them to perform standard file upload remote code execution attacks.

Mitigation Strategies

Regular Auditing

Conduct regular security audits and penetration testing to identify and rectify misconfigurations.

Least Privilege Principle

Only grant and enable permissions that are necessary for a user or system to complete its tasks.

Patch Management

Ensure that all systems are up-to-date with the latest patches and updates.

Use of Configuration Management Tools

Tools like Ansible, Puppet, or Chef can help automate the configuration process, ensuring that all deployed systems meet the required security baselines.

Conclusion

Security Misconfigurations are an easily overlooked aspect of cybersecurity but they have enormous implications for the integrity and safety of data. Companies need to take a proactive role in securing their systems to mitigate risks effectively. By learning from past mistakes and implementing robust security measures, we can secure our digital landscape against this often underestimated threat.

If you have any more questions, or are looking for someone to test your configurations, reach out to Brackish Security and help us Make the Bad Guys Salty!

Share the Post:

Related Posts

Join Our Newsletter