Application Security Misconfiguration attacks exploit configuration weaknesses found in web applications. Many applications come with necessary developer features that are dangerously unsafe if not deactivated during live production, such as debug and QA features. These features may provide means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges.
Default installations may include well-known usernames and passwords, hard-coded backdoor accounts, special access mechanisms, and incorrect permissions set for files accessible through web servers. Default samples may be accessible in production environments. Application-based configuration files that are not properly locked down may reveal clear text connection strings to the database, and default settings in configuration files may not have been set with security in mind. All of these misconfigurations may lead to unauthorized access to sensitive information.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Commonly Found Vulnerable Postures:
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, Web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. If an application lacks proper security controls, an attacker can potentially access default accounts, unused pages, or unprotected files or exploit unpatched flaws to gain unauthorized access to or knowledge of the system.
Is your application missing the proper security hardening across any part of the application stack? Including:
The primary recommendations are to establish all of the following:
OWASP, Wikipedia, PC Magazine, CIS Security Configuration Guides
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.