OWASP Top 10 part 5: Security Misconfiguration

Security misconfigurations are mistakes in security settings that can leave an application or system vulnerable.

Using outdated or unreliable settings

• Description: Leaving outdated or unreliable security settings.

• Example: Opened ports or services that are not used but left in the configuration.

Lack of proper server configuration

• Description: Improper configuration of servers that could lead to vulnerabilities.

• Example: Incorrect settings for database servers or web servers that allow unauthorized access.

Improper account management

• Description: Lack of proper management of accounts and access rights.

• Example: Accounts with excessive privileges or with insecure passwords.

1. Using a development/testing environment on production systems

• Blue Team: Use separate environments for development, testing, and production. Ensure that test environments do not have access to production data.

• Red Team: Try to find URLs related to test environments or access to configuration files that may reveal data about the production environment.

2. Using HTTP outside of the development environment

• Blue Team: Disable HTTP and require the use of HTTPS with up-to-date certificates.

• Red Team: Check for traffic tampering (MITM) or data injection in HTTP use cases.

3. Incorrect HTTPS configuration

• Blue Team: Check your SSL/TLS settings are correct, make sure only trusted protocols and ciphers are used.

• Red Team: Check for SSL/TLS vulnerabilities, such as unsafe ciphers or legacy protocol support.

4. Incorrect SSH configuration

• Blue Team: Deny root SSH access, disable password authentication in favor of SSH keys.

• Red Team: Try to attack the SSH configuration, focusing on detecting root access or weak passwords.

5. Incorrect configuration of the list of directories

• Blue Team: Deny access to the directory listing via server settings (e.g. via .htaccess or Nginx/Apache configuration).

• Red Team: Check the access to the list of directories, look for sensitive files or backups.

6. Unsecured publicly open ports

• Blue Team: Open only those ports that are necessary for the services to work, close the database ports (for example, 5432 for PostgreSQL).

• Red Team: Conduct port scans to identify open ports that can be used for attacks.

7. Use of standard logins and passwords

• Blue Team: Change default logins and passwords immediately after system installation, disable outdated accounts.

• Red Team: Use brute force attacks or lists of standard passwords to log in.

8. Test accounts on productive systems

• Blue Team: Disable or delete all test accounts before deploying a production system.

• Red Team: Try to detect test accounts through fusing or dictionary-type attacks.

9. Too informative errors or call stacks on productive systems

• Blue Team: Enable custom error pages, disable call stack display in production environment.

• Red Team: Use information from errors for further attacks, such as file paths or database names.

10. Disabled safety mechanisms for convenience

• Blue Team: Ensure all security mechanisms remain enabled even during development. For example, require a password to use sudo.

• Red Team: Try to use temporary settings that were left after testing.