OWASP Top 10 part 5: Security Misconfiguration

21 October 2024 3 minutes Author: Lady Liberty

Security misconfigurations are mistakes in security settings that can leave an application or system vulnerable.

Using outdated or unreliable settings

  • Description: Leaving outdated or unreliable security settings.

  • Example: Opened ports or services that are not used but left in the configuration.

Lack of proper server configuration

  • Description: Improper configuration of servers that could lead to vulnerabilities.

  • Example: Incorrect settings for database servers or web servers that allow unauthorized access.

Improper account management

  • Description: Lack of proper management of accounts and access rights.

  • Example: Accounts with excessive privileges or with insecure passwords.

1. Using a development/testing environment on production systems

  • Blue Team: Use separate environments for development, testing, and production. Ensure that test environments do not have access to production data.

  • Red Team: Try to find URLs related to test environments or access to configuration files that may reveal data about the production environment.

2. Using HTTP outside of the development environment

  • Blue Team: Disable HTTP and require the use of HTTPS with up-to-date certificates.

  • Red Team: Check for traffic tampering (MITM) or data injection in HTTP use cases.

3. Incorrect HTTPS configuration

  • Blue Team: Check your SSL/TLS settings are correct, make sure only trusted protocols and ciphers are used.

  • Red Team: Check for SSL/TLS vulnerabilities, such as unsafe ciphers or legacy protocol support.

4. Incorrect SSH configuration

  • Blue Team: Deny root SSH access, disable password authentication in favor of SSH keys.

  • Red Team: Try to attack the SSH configuration, focusing on detecting root access or weak passwords.

5. Incorrect configuration of the list of directories

  • Blue Team: Deny access to the directory listing via server settings (e.g. via .htaccess or Nginx/Apache configuration).

  • Red Team: Check the access to the list of directories, look for sensitive files or backups.

6. Unsecured publicly open ports

  • Blue Team: Open only those ports that are necessary for the services to work, close the database ports (for example, 5432 for PostgreSQL).

  • Red Team: Conduct port scans to identify open ports that can be used for attacks.

7. Use of standard logins and passwords

  • Blue Team: Change default logins and passwords immediately after system installation, disable outdated accounts.

  • Red Team: Use brute force attacks or lists of standard passwords to log in.

8. Test accounts on productive systems

  • Blue Team: Disable or delete all test accounts before deploying a production system.

  • Red Team: Try to detect test accounts through fusing or dictionary-type attacks.

9. Too informative errors or call stacks on productive systems

  • Blue Team: Enable custom error pages, disable call stack display in production environment.

  • Red Team: Use information from errors for further attacks, such as file paths or database names.

10. Disabled safety mechanisms for convenience

  • Blue Team: Ensure all security mechanisms remain enabled even during development. For example, require a password to use sudo.

  • Red Team: Try to use temporary settings that were left after testing.

Other related articles
OWASP Top 10
Read more
OWASP Top 10 part 1: Broken Access Control
Broken Access Control is one of the most dangerous vulnerabilities in the OWASP Top 10 list, which allows attackers to bypass access control mechanisms, gain access to sensitive data, and perform unauthorized operations.
387
Found an error?
If you find an error, take a screenshot and send it to the bot.