A05:2021 – Security misconfiguration
Share
Introduction
Vulnerability Description
As a continuation of this series of posts on the OWASP Top Ten vulnerabilities, in this post we will comment on the vulnerability A05:2021 - Security Misconfiguration or in Spanish: Incorrect cybersecurity configuration.
This vulnerability refers to unimplemented or incorrectly implemented cybersecurity configurations and can manifest itself in various ways, from the use of default or insecure configurations to the unnecessary exposure of sensitive information or the enabling of unnecessary services.
It occurs when an application or server is not configured correctly, allowing an attacker to exploit this lack of configuration to access sensitive data, elevate privileges, and gain control of the application.
Impact
This vulnerability can have devastating consequences for an organization.
By exploiting an insecure configuration, attackers can gain access to sensitive information, elevate application privileges, or even use compromised resources to carry out attacks on third parties.
The impact of this vulnerability can be reflected in the following points:
- Exposure of sensitive information: When a system is not properly configured, it can allow an adversary to access sensitive data, such as user credentials, personal information, or trade secrets.
- System Control: In some cases, misconfiguration can give attackers the ability to take complete control of the system, allowing them to modify or destroy data or use system resources to carry out carry out other attacks.
- Compromise of system availability: An adversary can take advantage of incorrect configuration to launch denial of service (DoS) attacks that disrupt normal operation of the application or server, which can impact availability of services for legitimate users.
- Using the system as an attack platform: Compromised systems due to poor security configuration can be used by attackers as platforms from which to launch attacks on other systems, which can greatly expand the reach of the attack. damage.
Practical examples
Credential exposure in application source code and escalation of privileges
One of the most common examples of this vulnerability is when an application is deployed with default configurations, passwords in the application code used in the development stage, or user permissions that are broader than necessary.
To demonstrate this, the Zerolynx web lab is accessed with an unprivileged user, user1 in this case.
Exposure of the application file structure
Compromised availability due to vulnerable software
Mitigations
- A repeatable hardening process makes it quick and easy to deploy and properly implemented. The development, QA, and production environments must be configured identically, using different credentials in each.
- A minimal platform without unnecessary features, components, documentation and samples.
- Review and update appropriate configurations to all security releases, updates, and patches as part of the patch management process.
- The use of a segmented application architecture that provides effective and secure separation between application components.
- Correct implementation of Security Headers.
- Implementation of automatic processes before deploying to production that ensure the effectiveness of the measures adopted.