Security Misconfiguration

Security Misconfiguration ranks sixth in the OWASP TOP 10 as it remains prevalent in projects and is susceptible to around 42% of companies according to statistics.

Securing a Web application requires a secure configuration of all infrastructure components. Application components (such as frameworks) are the web server, database server, and the platform itself. The default settings of server components are generally insecure and create opportunities for attacks. For example, stealing a session cookie via JavaScript in an XSS attack is made possible by the cookie_http only setting, which is disabled by default.

It is impossible to receive a session cookie via JavaScript if the server is configured correctly and the cookie_httponly option is enabled, but this simple and important setting is often missing in critical places such as personal accounts of payment systems.

Incorrect Security Configuration Another example of a vulnerability is the use of default settings on database servers such as Redis (an open source data structure server), Memcached (a general purpose distributed memory caching system), and others. A private service can be accessed from the server’s public IP address and/or used by default passwords set by the manufacturer. This allows an attacker to easily read and modify data, among them session cookies (which we already know) and data displayed to users in the browser (which also makes it possible to use an XSS attack).

Software must always be up to date. Vulnerabilities are found every day in a wide variety of operating systems, software components such as web servers, database servers, mail servers. And even if your application is written properly and carefully checks all incoming data and is generally well-protected, that doesn’t mean that one day your operating system or Web server will not have a security hole.

So at any level of the application misconfiguration of security can occur:

– network services

– Web server

– database

– pre-installed virtual machines

– storage

How can I avoid the wrong security settings listed above?

The most effective method is regular penetration tests that identify security issues. These scans should include production systems and staging systems.

The best way to check security is to use a professional scanner that not only detects misconfigurations in network security (as most browsers do), but also focuses on the security of web applications.

Another very common cause of incorrect security settings is reliance on default settings. You should not think that professional software is protected by default. Every software you install, including web server, application server, and database server, requires manual security configuration.

An OWASP penetration test should bear in mind that it offers a number of important advantages, particularly for those developing web applications in-house and/or organizations using specialist applications developed by third parties.

OWASP penetration testing is conducted by certified ethical hackers with expert knowledge of the latest web application development techniques and the latest security threats.