Security misconfiguration is the implementation of improper security controls, such as for servers or application configurations, network devices, etc. that may lead to security vulnerabilities. For example, insecure configuration of web applications could lead to numerous security flaws including: Incorrect folder permissions

1. Security Misconfiguration

2. Introduction to Security Misconfiguration
o Misconfiguration is define as configuration mistakes that results in
unintended application behavior that includes misuse of default
passwords, privileges, and excessive debugging information disclosure.
o This happens when the system administrators, DBAs or developers
leave security holes in the configuration.
o Good security required proper configuration of systems.
oThe effects of misconfiguration can be non-threatening but also can lead
service outage , loss of sensitive data and other serious problems.

4. Where?
Security misconfiguration may happen any of the following levels:
Operating system or platform
Web server
Application server
Database server
Framework
Custom code

5. Impact
Can be severe
Partial or full data loss
Data modification
Compromise of full system
Expensive recovery

6. How to test for a security misconfiguration
Automated Scanners are useful for detecting misconfigurations, use of default
accounts or configurations, unnecessary services, legacy options, etc.
Using Burp to Test for Security Misconfiguration Issues:
Application misconfiguration attacks exploit configuration weaknesses found in
web applications. Security misconfiguration can happen at any level of an
application stack, including the platform, web server, application server,
database, and framework.

7. Cause: Inadvertent use of default options
Default options are always an easy target for hackers. It is very common that
users often do not change their default password or do not delete default user
ID.
Some applications come with default port number as well.
Examples:
Oracle database default installation includes default user id and password
User/schema: scott, password: tiger and default port number 1521

8. Cause: Excess debugging information
Revealing too much debugging information is a very common misconfiguration
problem. This usually does not result directly to exploitation of a system.
Attackers can collect extra information, such as the internal working of an
application and version numbers.
Attackers can use this excessive debugging information to craft SQL to perform a
SQL injection attack. Also, when applications fail to perform an action, they can
leak sensitive information.

9. Cause: Improper Policy or Role Configuration
Role misconfiguration is another leading cause of web application
misconfiguration.
This causes groups or roles to access settings or records that were not intended
for them.There are many reasons for role misconfigurations.
Complex business roles and polices can be blamed for role misconfiguration.
Example: allowing admin staff to view human resource data.

10. Cause: Human Mistakes
Human mistakes are frequent and unavoidable and can account for up to
43% of all system failures.
Operator error is the main reason for downtime for large websites, such
as Google, MSN, andYahoo. Proper interfaces and good design can
drastically reduce operator mistakes.
Poorly designed application interfaces and too tight restriction may force
user to attempt or bypass security then they need to accomplish a goal.

11. Prevention: Basic Policies
•Do not use default credentials.
•Avoid default installations.
•Maintain consistency of configuration between versions.
•Restrict default configuration options.
•Avoid default port numbers.
•Restrict roles and privileges.
•Centralize configuration as much as possible.
•Scans and audits.
•Strong encryption.

12. Prevention: Secure coding and code review
•Design application functionality with security in mind.
•Extends development time.
•Practice defensive coding.
•Review codes to ensure security properties.
•Stay up to date with coding standards compliance. Consistent design and
implementation.
•Finding security issues/bugs early.

13. Solution: Patching and Education
 Keep applications up to date.
Apply vendor patches on time.
Apply critical security and vulnerability regularly.
Educate developers, administrators, and testers.
Participate security training.
Attend security conferences.
Subscribe to vendor’s security alert.

14. Conclusion
Security misconfiguration or poorly configured security controls, could
allow malicious users to change your website, obtain unauthorized
access, compromise files, or perform other unintended actions.
Risk:The prevalence of web application misconfiguration is very high in
IT industry. •
Priority: Safeguarding web application from malicious users and attacks.

15. References
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
https://support.portswigger.net/customer/portal/articles/1965728-using- burp-to-test-for-
security-misconfiguration-issues
https://www.youtube.com/watch?v=vheGnopQm6s&t=514s
https://www.cloudflare.com/learning/security/threats/owasp-top-10/ •
https://resources.infosecinstitute.com/2017-owasp-a6-update-security- misconfiguration/#gref
https://bounty.github.com/classifications/security-misconfiguration.html •
https://www.youtube.com/watch?v=ouuXu9_UM0w

16. Thank You
You can find me at:
▫ @https://www.linkedin.com/in/
Kalyani-raut-29756a10a
▫ kalyaniraut97@gmail.com
Thanks !
ANY QUESTIONS?