Security Misconfiguration

OWASP Top 10 - A5




What is Security Misconfiguration?

Improper server or web application configuration leading to various flaws:

  • Debugging enabled.
  • Incorrect folder permissions.
  • Using default accounts or passwords.
  • Setup/Configuration pages enabled.

All of your data could be stolen or modified slowly over time.

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources.



Security Misconfiguration examples

Example #1: The app server admin console is automatically installed and not removed

Default accounts are not changed.

Risk

  • Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

Example #2: Directory listing is not disabled on your server

Risk

  • Attacker discovers they can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which they decompile and reverse engineer to get all your custom code. They then find a serious access control flaw in your application.

Example #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws

Risk

  • Attackers love the extra information error messages provide.

Example #4: App server comes with sample applications that are not removed from your production server

Risk

  • These sample applications have well-known security flaws attackers can use to compromise your server.



How to prevent Security Misconfiguration

The principle of least privilege: Everything off by default.

  • Disable administration interfaces.
  • Disable debugging.
  • Disable use of default accounts/passwords.
  • Configure server to prevent unauthorized access, directory listing, etc.
  • Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.

How Hdiv protects against A5 risk

Risk Partially Covered

  • Hdiv flow control reinforces any existing ACL system, preventing an attempt to access invalid resources.