Security Misconfiguration

What is Security Misconfiguration?

Improper server or web application configuration leading to various flaws:

  • Debugging enabled
  • Incorrect folder permissions
  • Using default accounts or passwords
  • Setup/Configuration pages enabled

All of your data could be stolen or modified slowly over time.

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources.

OWASP

Security Misconfiguration examples

Example #1: The app server admin console is automatically installed and not removed

Default accounts are not changed.

Risk

Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

Example #2: Directory listing is not disabled on your server

Risk

Attacker discovers they can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. They then find a serious access control flaw in your application.

Example #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws

Risk

Attackers love the extra information error messages provide.

Example #4: App server comes with sample applications that are not removed from your production server

Risk

These sample applications have well-known security flaws attackers can use to compromise your server.

How to prevent Security Misconfiguration

The principle of least privilege:

Everything off by default

  • Disable administration interfaces
  • Disable debugging
  • Disable use of default accounts/passwords
  • Configure server to prevent unauthorized access, directory listing, etc.
  • Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches

How Hdiv protects against A5 risk

Risk Partially Covered

Hdiv flow control reinforces any existing ACL system, preventing an attempt to access invalid resources.

Agent

Detects:

  • Common application misconfigurations
  • Spring escape

Library

The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.