OWASP Top Ten - Security Misconfiguration
Security misconfiguration is a pretty broad category. It’s kind of a catch-all. It includes some of the other OWASP Top Ten vulnerabilities such as sensitive data exposure, broken authorization, etc. It also includes a few more scenarios that don’t quite fit in any other category such as error handling, unnecessary open ports, etc.
In 2021, OWASP also folded XML External Entities (XXE) into Security Misconfiguration as part of their Top Ten list.
Common Security Misconfigurations
According to OWASP, some common examples of security misconfigurations you might find are:
- Missing security hardening or improperly configured permissions on cloud services
- Unnecessary features enabled/installed (e.g. ports, services, pages, accounts, or privileges)
- Default/Hardcoded accounts present
- Error handling revealing too much information
- Insecure values being used in application servers, frameworks, libraries, databases, etc
- Security headers or directives are not being used or are being implemented improperly
- Using software with known vulnerabilities that aren’t patched (or the patches haven’t been implemented)
When testing applications for vulnerabilities, one of the first things we’ll do is check for open ports, default accounts, and out-of-date software. These things can be relatively easy to find and can create small or very large risks (e.g. being used to gain admin access to a system).
Testing for Security Misconfigurations
Chances are, your application has some form of security misconfiguration going on.
OWASP has some great resources to help you test your own application and hopefully find the vulnerabilities before others do.
- Configuration and Deployment Management Testing
- Error Handling Testing
- Configuration Verification Requirement (PDF)
Ways to Help Prevent Security Misconfiguration
Since this category is so broad, it can be very difficult to prevent. Still, we need to try.
OWASP has some great tips on ways you can prevent these types of misconfigurations:
- Create an automated hardening process for creating and deploying new, secure environments.
- Ensure your platform/application/etc is set up with only the absolute necessary features. Remove any unnecessary features/frameworks/etc.
- Regularly review and update configurations for security notes, updates, and patches - especially cloud storage permissions.
- If you can, segment your application architecture.
- Use security directives such as Security Headers.
- Implement automated testing to check the security configurations and settings of all your environments.
These are just a few of the things that can help. Check out the resources below to help expand your knowledge and create a customized process that works for your situation.