PranjalUncodes
Security Misconfiguration (OWASP Top 10 )

Security Misconfiguration (OWASP Top 10 )

Pranjal Ruhela's photo
Pranjal Ruhela

Photo by Ante Hamersmit on Unsplash

Security misconfigurations include:

  • Poorly configured permissions on cloud services, like S3 buckets
  • Having unnecessary features enabled, like services, pages, accounts or privileges
  • Default accounts with unchanged passwords
  • Error messages that are overly detailed and allow an attacker to find out more about the system
  • Not using HTTP security headers, or revealing too much detail in the Server: HTTP header

This vulnerability can often lead to more vulnerabilities, such as default credentials giving you access to sensitive data, XXE or command injection on admin pages.

More about the vulnerability :

[A6:2017-Security Misconfiguration
Threat Agents / Attack Vectors Security Weakness Impacts App. Specific Exploitability: 3 Prevalence: 3 Detectability: 3…owasp.org](https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html "owasp.org/www-project-top-ten/2017/A6_2017-..")

How to Prevent

Secure installation processes should be implemented, including:
* Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to setup a new secure environment.
* A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
* A task to review and update the configurations appropriate to all security notes, updates and patches as part of the patch management process (see A9:2017-Using Components with Known Vulnerabilities). In particular, review cloud storage permissions (e.g. S3 bucket permissions).
* A segmented application architecture that provides effective, secure separation between components or tenants, with segmentation, containerization, or cloud security groups (ACLs).
* Sending security directives to clients, e.g. Security Headers.
* An automated process to verify the effectiveness of the configurations and settings in all environments.

In October 2016, Dyn (a DNS provider) was taken offline by one of the most memorable DDoS attacks of the past 10 years. The flood of traffic came mostly from Internet of Things and networking devices like routers and modems, infected by the Mirai malware.

How did the malware take over the systems? Default passwords. The malware had a list of 63 username/password pairs, and attempted to log in to exposed telnet services.

The DDoS attack was notable because it took many large websites and services offline. Amazon, Twitter, Netflix, GitHub, Xbox Live, PlayStation Network, and many more services went offline for several hours in 3 waves of DDoS attacks on Dyn.