A5: Security Misconfiguration

Tariqul Islam
IT 6873 Information security seminar

What is Security Misconfiguration?

Application

Misconfiguration attacks exploit configuration weaknesses found in web

applications.
Misconfiguration

is define as configuration mistakes that results in unintended

application behavior that includes misuse of default passwords, privileges, and
excessive debugging information disclosure.
The

effects of misconfiguration can be nonthreatening but also can lead service

outages, loss of sensitive data, and other serious problems.

OWASP Ranking

Top 10 2013-A5 Security Misconfiguration by OWASP

Top 10 2010-A6 Security Misconfiguration by OWASP
OWASP defines this risk as being easily exploitable, common in prevalence, easily
detectable, with moderate impact.

Impact

Can be severe.
Partial or full data loss.
Data modification.
Compromise of full system.
Expensive recovery.

Statistics

Cause: Inadvertent use of default options

Default

options are always an easy target for hackers. It is very

common that users often do not change their default password or do
not delete default user ID.
Some

applications come with default port number as well.

Examples:

Oracle database default installation includes default user

id and password User/schema: scott, password: tiger and default port
number 1521.

Cause: Excess Debugging Information

Revealing

too much debugging information is a very common misconfiguration

problem. This usually does not result directly to exploitation of a system.
Attackers

can collect extra information, such as the internal working of an

application and version numbers.
Attackers

can use this excessive debugging information to craft SQL to perform a

SQL injection attack. Also, when applications fail to perform an action, they can leak
sensitive information.

Cause: Improper Policy or Role Configuration

Role

misconfiguration is another leading cause of web application misconfiguration.

This

causes groups or roles to access settings or records that were not intended for
them. There are many reasons for role misconfigurations.
Complex

business roles and polices can be blamed for role misconfiguration.

Example: allowing admin staff to view human resource data.

Cause: Human mistakes

Human

mistakes are frequent and unavoidable and can account for up to 43% of all
system failures.
Operator

error is the main reason for downtime for large websites, such as Google,
MSN, and Yahoo. Proper interfaces and good design can drastically reduce operator
mistakes.
Poorly

designed application interfaces and too tight restriction may force user to
attempt or bypass security then they need to accomplish a goal.

Where?

Security misconfiguration may happen any of the following levels:

Operating system or platform

Web server
Application server
Database server
Framework
Custom code

How?:Hidden manipulation

Often

used to save users session without the need to maintain a complex database
on the server side.
In

hidden manipulation users do not see or modify the hidden field.

Once

hacked application acts according to the modified information not according to

the real data. Example: Alter product price or SKU numbers.

How?:Parameter Tampering

Based

on the manipulation of application parameter exchanged between client and

the server. This is a form of web based hacking where certain parameters in the URL
or web application page entered by a authorized users that hackers change without
users authorization.
Hackers

take the advantage of hidden or fixed fields and modify parameters by

bypassing the security mechanisms.
Once

hacked web application acts according to the modified information and allows
access to the users data. Example: Arbitrarily manipulating users selection from a
field values, such as; check box or combo box.

How?:Cookie poisoning

Act

of manipulating or forging a cookie for the purpose of bypassing security

measures or sending false information to a server.
Cookies

are common elements in web applications and their usage involves saving
information for instance; user ID, account numbers, time stamp, passwords, etc. The
saved information is stored in the users hard drive.
Cookies

are not cryptographically secure, therefore; a hacker can modify users

information by modifying the cookie file.

How?:Stealth commanding

Is

a set of techniques allowing attackers to exploit parsing problems in server-side

scripts to change the code executed by the server.
Primarily

used in the execution of operating system commands, allowing complete

takeover of the server.
Likely

targets are server-side includes, parsed scripts, code that appears to take input
and turn it into OS commands, and anything that takes parameters and turns them into
parsed protocols.

How?:Forced browsing

An

attack where the aim is to enumerate and access resources that are not referenced
by the application, but are still accessible.
Attacker

can use Brute Force techniques to search for unlinked contents in the
domain directory, such as temporary directories and files, and old backup and
configuration files.
Inadequate

enforcement and authorization on all restricted URL,s scripts, or files

can be blamed.

How?:Backdoors and debug options

Applications

contain code left for debugging purposes, and some even contain code
left by disgruntled employees.
Debug

options comprise entry points that allows a hacker access to the application.

Backdoors

substantially allow visitors to log into applications without using a

password and access grants users many other privileges.

Am I at risk?

Is

your software out of date?

Any unnecessary features enabled?
Are default accounts and associated credentials unchanged?
Does error handling reveal stack traces to users?
Are the security settings not set to secure values?

Solution: Basic Policies

Do not use default credentials.

Avoid default installations.
Maintain consistency of configuration between versions.
Restrict default configuration options.
Avoid default port numbers.
Restrict roles and privileges.
Centralize configuration as much as possible.
Scans and audits.
Strong encryption.

Solution: Secure Coding and Code Review

Design application functionality with security in mind.

Extends development time.
Practice defensive coding.
Review codes to ensure security properties.
Stay up to date with coding standards compliance.
Consistent design and implementation.
Finding security issues/bugs early.

Solution: Secure Configuration and Testing

Attention to detail .
Each component should be checked and verified.
Turn off unsafe features.
Remove default accounts and expire default passwords.
Stress testing.
Penetration testing.
Both automatic and manual testing.

Solution: Patching and Education

Keep applications up to date.

Apply vendor patches on time.
Apply critical security and vulnerability regularly.
Educate developers, administrators, and testers.
Participate security training.
Attend security conferences.
Subscribe to vendors security alert.

Summary

Risk:

The prevalence of web application misconfiguration is very high in IT

industry.
Priority:

Safeguarding web application from malicious users and attacks.

Avoid: Security misconfiguration

Dos :

Follow IT security best practices, use common sense, have good

understanding of application security, practice good designing principles and
defensive coding, and as always ensure the proper security configuration of
application.

Follow up Questions?

What are the standard methods or procedures to monitor application security

misconfiguration?

How frequently we need to review, audit, and scan security configuration?

Do you like default or custom application installation? Please explain why or why
not?

References:

Whitelegg, D. (2014, June 17). Scan your app to find and fix OWASP Top 10 2013 vulnerabilities.
Retrieved September 17, 2014, from
http://www.ibm.com/developerworks/library/se-owasp-top10/index.html

Auger, R. (2010, January 1). Application Misconfiguration. Retrieved September 15, 2014, from
http://projects.webappsec.org/w/page/13246914/Application Misconfiguration

Henneberger, D. (2012, January 1). Misconfiguration of Web Applications: A View of Security. Retrieved
September 15, 2014, from http://danielhenneberger.com/dist/papers/misconfiguration.pdf

How Misconfiguration Can Leave You Vulnerable to Attackers - Calavista Software. (2014, January 1).
Retrieved September 22, 2014, from
http://www.calavista.com/misconfiguration-can-leave-vulnerable-attackers/

Pasho, A. (2011, June 22). Is Your Web Site or App Secure? Avoiding Security Misconfiguration.
Retrieved September 20, 2014, from
http://blog.makingsense.com/2011/06/is-your-web-site-or-app-secure-avoiding-security-misconfiguration/

References:

Kerner, S. (2014, February 3). App Misconfiguration, Mobile Apps With Poor Encryption Pose Risks, HP.
Retrieved September 23, 2014, from
http://www.eweek.com/security/app-misconfiguration-mobile-apps-with-poor-encryption-pose-risks-hp.ht
ml

Misconfigurations: The Firewalls Greatest Threat. (2012, December 3). Retrieved September 24, 2014,
from http://www.firemon.com/blog/firewall-management/misconfigurations-the-firewalls-greatest-threat

Weldermariam, K. (2014, January 1). Early Detection of Security Misconfiguration Vulnerabilities in Web
Applications. Retrieved September 25, 2014, from
http://www.academia.edu/2719069/Early_Detection_of_Security_Misconfiguration_Vulnerabilities_in_W
eb_Applications

Brady, P. (2014, January 1). PHP Security: Default Vulnerabilities, Security Omissions and Framing
Programmers?. Retrieved September 25, 2014, from
http://phpsecurity.readthedocs.org/en/latest/_articles/PHP-Security-Default-Vulnerabilities-Security-O
missions-And-Framing-Programmers.html

References:

Statistics reference: http://securityaffairs.co/wordpress/16557/hacking/statistics-on-web-applicationvulnerabilities-statistics-2013.html

Reshef, E. (n.d.). Internet Application Security. Retrieved September 29, 2014, from
http://www.cgisecurity.com/lib/IAS.pdf

Cookie Poisoning. (n.d.). Retrieved October 1, 2014, from

http://security.radware.com/knowledge-center/DDoSPedia/cookie-poisoning/

Behringer, M. (n.d.). Understanding Operational Security. Retrieved September 24, 2014, from
http://www.cisco.com/web/about/security/intelligence/opsecurity.html

Cookie Poisoning | Hacker4Lease. (2012, January 1). Retrieved October 1, 2014, from
http://www.hacker4lease.com/attack-methods/cookie-poisoning/

Top 10 2013-A5-Security Misconfiguration. (2013, June 23). Retrieved September 14, 2014, from
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

Cover photo: Tariqul Islam