The rise of this vulnerability from sixth to fifth place in the OWASP top 10 lists is not surprising. When Avinash Jain discovered a security misconfiguration problem in Atlassian Jira, a major project management tool, this vulnerability gained additional notoriety in the Jira breach. He had access to a tonne of sensitive data at these organizations, including employee names, email addresses, and private details about internal projects, as a result of the oversight.
It goes without saying that all organizations need to focus more on this critical issue.
What is security misconfiguration?
Security measures incorrectly configured or left unsecured are known as security misconfigurations. These mistakes produce hazardous security holes that expose the program, its data, and the organization to a cyber attack or breach. Here, notable CWEs include :
- CWE-16 Configuration
- CWE-611 Improper Restriction of XML External Entity Reference.
The application is vulnerable to this if :
- poorly specified permissions on cloud services or a lack of adequate security hardening throughout the application stack.
- Features that are superfluous are installed or enabled (e.g., unnecessary ports, services, pages, accounts, or privileges).
- The most recent security features are disabled or not configured properly for upgraded computers.
- The security options are not configured to secure values in the application servers, application frameworks (such as Struts, Spring, and ASP.NET), libraries, databases, etc.
- The software is insecure or not updated to the latest version.
Impacts of this vulnerability:
Simple mistakes can lead to security misconfigurations, which expose an application to attack. A cybercriminal may not even need to launch an active assault because in some cases, misconfiguration may expose data. The risk to application security increases as code and data are made more accessible to users.
Large volumes of private and sensitive data may be made available to the public online via storage devices with weak or nonexistent security measures. In most cases, it is impossible to determine who might have had access to this information prior to its security.
Another frequent problem with web applications, particularly those built using pre-existing frameworks like Drupal, is directory listing. Users are free to explore and access the file structure, making it simple for them to find and take advantage of security flaws.
Examples showing misconfiguration attacks:
- NASA was exposed to an Atlassian JIRA configuration error. Sensitive data was exposed to attackers due to an authorization misconfiguration in Global Permissions.
- Citrix had a cloud email server that was IMAP-based, and as a result, they became the target of IMAP-based password-spraying. Attackers used the insecure, outdated IMAP protocol to gain access to SaaS apps and cloud-based accounts. The attack may have been stopped if multi-factor authentication (MFA) had been used.
- Unsecured storage buckets on Amazon’s well-known S3 storage service were the cause of several businesses’ data breaches. For instance, the US Army Intelligence and Security Command unintentionally put important database files on S3, some of which were labeled top secret, without the required authentication.
How to prevent this attack:
By keeping the most vital infrastructure locked, you may reduce risks brought on by security misconfiguration when you have a good understanding of your systems. Only some approved users should be allowed access to the ecosystem.
The following are some effective techniques to reduce security misconfiguration:
- Administrators and developers should keep an eye out for warning signs that configuration problems typically provide. Multiple login attempts being reported, self-installing malware on devices, and users’ web searches being diverted to unexpected destinations are all warning signs. These incidents are all typical indicators of weak application security or compromised devices.
- In every scenario, install software patches and updates on a regular and timely basis. Additionally, you can patch a golden image and use it in your environment.
- The vulnerabilities produced by remote users can be reduced with a layered approach to remote security that includes intrusion detection systems, authorization zones, firewalls, and virtual private networks (VPNs). In general, effective access restrictions must be implemented on a need-to-have basis for all files and directories in both on-premise data centers and cloud settings.
- Employees must get training on the importance of secure passwords, the risks of shadow IT, and the guidelines for safeguarding private information. To increase awareness of security dangers, suspicious actions, and effective threat responses, a strong security culture is also essential.
- Run scans and audits frequently and seldom to find any potential security flaws or missing patches, and make sure the development cycle is well-maintained and organized. This will make it easier to test the application’s security during the development stage.
It is usually advisable to combine manual testing with automated testing because well-known scanners can find and report on common Security Misconfiguration vulnerabilities, which are very simple to ignore when testing manually. So, to provide the finest and most secure user-end experience, keep all potential dangers in mind as you publish your final application.