Top 10 OWASP vulnerabilities. It can encompass anything and everything related to configurations but if we do some effort it is possible to define a general testing guide for security misconfigurations by looking at the common properties of all the issues we can find in write ups and activities.
How to identify Security Misconfiguration
The following properties of a system will usually point to a likely vulnerability though some of these properties are a bit more ambiguous and harder to test.
Not having sufficient security hardening. We often forget that this goes across all parts of the application stack, this also includes the API security which is often forgotten. Most applications these days consist of complete technical solutions and issues might arise in any of these components. To test for this properly we need to have a good overview of our system under test though.
When our target uses cloud services, they need to make sure to configure the authentication and authorisation on those properly as well.
If features are enabled that are not being used this can lead to some dangerous security impact in certain cases. An example we can think of is leaving a port open that is not needed while having vulnerable software running on there.
Some admins are very lazy and they might leave passwords default or super easy to guess like test/test. This is also a security misconfiguration of course.
Our target needs to keep it's systems and dependencies up to date. Besides keeping them up-to-date we need to make sure these components are enabled and configured properly.
If any of the settings surrounding security is set to an insecure value.
The server will not respond with security headers or directives. Of course when set they should contain appropriate security values.
To prevent these kinds of vulnerabilities, we can implement some mitigations.
All of these best practices serve to cover a particular goal but we also need to know what these goals are so we can test with precision.
Cloud storage misconfigurations
Test network infrastructure configuration
Test Application Platform Configuration
Testing alternative HTTP methods
Test HTTP Strict Transport Security
Test network infrastructure configuration
This can be anything from an exposed admin panel to damaging well-known exploits. Pretty much any attack that can be performed over the network and relies on configuration can be put into this category.
Cloud storage misconfigurations
Companies often use services like S3 buckets from amazon without properly understanding them. This might lead to misconfigurations happening which could allow things like unauthenticated access.
Testing alternative HTTP methods
Just like we already talked about in chapter 5 (Broken access control), we can use the OPTIONS http method to find out which http methods we are able to execute and sometimes this might concern http methods which are not fully implemented on the server.
Test HTTP Strict Transport Security
This is not interesting at all for bug bounty hunters but pentesters should reports this as a best practice. A website should always force the user onto the https version of the website.
So how do we hunt for this?
Hunting for security misconfigurations requires some special conditions because you need to either have a confirmable guess at a certain configuration or have access to how a system works by for example looking at it's source code on github. You will also need to confirm these findings though since an unconfirmed vulnerability isn't really one at all.
We can start by doing some google dorking and looking for conf files or yaml or xml or anything related to configurations.
```xml
filtype:cfg or filetype:yml or filetype:xml or intitle:"Config" or ...
```
Besides google dorking we can do the exact same thing for github where we might have some more luck as usually developers will mask things like passwords by putting them into environment variables but they leave all the other settings in plain sight.
Whenever you come across a configuration file it is up to you to find out exactly what every setting is for and if that setting can be unsafe by simply googling around and even just reading the manuals of the components for which those config files serve.
Security Misconfiguration examples
A good eye for detail netted this hacker 300$ by hunting down an API key while doing bug bounties.
During his attempts we can see he found a file containing a google API key. This API key was used for shortening URLs which would allow an attacker to mask their URLs as a URL of the company. This can lead to all kinds of phishing and scamming attacks. During the attack, it was also noticeable that an open redirect was possible where the url “https://lnk.clario.co/?link=[URLHERE]would accept any URL, as long as it had “clario.co” in it. These are some great examples of security misconfigurations where we have private tokens in a public script and where an open redirect was possible on a different endpoint.
Another great example was found by a user called “yourdarkshadow” who discovers that a header is not set properly leading to a security misconfiguration. https://hackerone.com/reports/12453 This was the Strict-Transport-Security header which protects websites from so called “downgrade” attacks.
How to fix Security Misconfiguration
We have to make sure that Automated systems are in place to easily deploy a new environment which is identical to the PRD environment in regards to security and configuration.
The DTAP environments (Development, testing, acceptance and production) should ideally be identical while making sure to not re-use credentials.
We need to have the minimum amount of functionality possible enabled. If we don't strictly need a component for our application, we should disable those components. This includes shadow-api's which are api's that are online but which nobody knows they exist off.
We need to implement a process to do a periodic security review that focuses on cloud storage strategies (i. e. s3 buckets)
A good separation of components with attention to separating tenants if they use the same hardware.
Every components needs to have a very well defined security profile
Our applications should always send security directives like headers
We should automate the verification of our security settings as much as possible so we can pick up on issues before they get pushed to a live environment. Static code reviews can also help.
Stepan is a cybersecurity expert proficient in Python, Java, and C++. With a deep understanding of security frameworks, technologies, and product management, they ensure robust information security programs. Their expertise extends to CI/CD, API, and application security, leveraging Machine Learning and Data Science for innovative solutions. Strategic acumen in sales and business development, coupled with compliance knowledge, shapes Wallarm's success in the dynamic cybersecurity landscape.
With over a decade of experience in cybersecurity, well-versed in system engineering, security analysis, and solutions architecture. Ivan possesses a comprehensive understanding of various operating systems, programming languages, and database management. His expertise extends to scripting, DevOps, and web development, making them a versatile and highly skilled individual in the field. Bughunter, working with top tech companies such as Google, Facebook, and Twitter. Blackhat speaker.