leak bucket

The term security misconfiguration is very generic and applies to any security issue that is not a result of a programming error but a result of a configuration error. Security misconfigurations have been defined as a separate category in the 2017 OWASP Top-10 list (category A6-2017). As the definition states, they can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.

Let’s have a look at the most common security misconfigurations that you should watch out for to maintain web application security.

Lax Permissions and Lack of Hardening

One of the most common causes of security misconfigurations is simply not being strict enough with user permissions and account security settings, especially in the case of production environments. For example, a common error is to enable a user account that runs a service to run shells. If so, and if the attacker somehow gets access to this user account, they are able to run commands in the operating system. Another common error is to use shared accounts for several services – for example, run the web server and the database server from the same account.

To ensure security, all services on a production server should be running using separate accounts and these accounts should have absolutely minimum permissions – only those that are actually required for the service. Such secure separation of privileges makes it next to impossible for attackers to perform privilege escalation.

Default Settings and Default Passwords

Another very common cause of security misconfigurations is trusting default settings. You cannot assume that professional software comes secure by default. Every piece of software that you install, including the web server, the application server, and the database server, needs manual security configuration.

Such software usually comes with all functionality activated, assuming that the user may want to benefit from it. That is an insecure configuration because any extra functionality means an extra potential entry point for an attacker. Therefore, the first thing to do when you install new software is to change the default settings and turn off all unnecessary services, unnecessary features, etc.

Another problem that many companies face is the use of default accounts and default passwords. For example, this applies to any admin consoles, routers, IoT devices, and more. To avoid unauthorized access, you should change every default password and you should know how to create secure passwords. Access control misconfigurations are one of the primary causes of serious security breaches.

Exposing Information

If an attacker finds out what type of software you are using in your back end, for example, the type and version number of your database server, they will have a much easier time to try and find related vulnerabilities. That is why it is very important never to expose any such information to the attacker.

A well-configured system should have error handling configured to suppress any error messages that may give attackers hints. You should also suppress all information banners and any other pieces of direct or indirect sensitive information that may help the attacker fingerprint the configuration.

Another example of exposing too much is allowing directory listing. If the attacker can list the content of directories on the web server, they are able to potentially access many unprotected files and these files may contain sensitive data. Directory listing is considered a serious access control flaw.

Out of Date Software

Web application security is different than network security but the two are closely related. For example, an error in web server software is considered a network security issue. Such errors appear often and some of them may be serious. That is why all software needs to be monitored and updated with the most recent security patches. A great example of a network security bug that affects web application security and that still haunts many systems is the Heartbleed bug.

Therefore, to maintain web application security, it is very important to regularly check for missing patches, especially in the case of public-facing software such as the web server.

Security Scanning to the Rescue

How to avoid security misconfigurations listed above and more?

The most efficient method is by regularly running scans, which expose security issues. Such scans should include production systems and staging systems – production configuration is often based on the staging configuration.

The best way to test security is by using a professional scanner that discovers not just network security misconfigurations (as most scanners do) but focuses on web application security. Acunetix is such a scanner that helps you maintain strong application architecture and helps prevent future misconfigurations. In addition to finding typical web vulnerabilities as SQLi and XSS, Acunetix finds all the security problems listed above and more.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.