What are Security Misconfigurations?
Security misconfigurations are a result of security settings not being defined or implemented, and default values are maintained. This typically means that configuration settings do not comply with industry security standards which are critical to maintaining security and reducing risk. Security misconfigurations happen most often when a system administrator or database administrator fails to properly configure the security framework for a desktop, website, application, or server. Sometimes misconfigurations happen when an environment is built by multiple parties with various levels of security, leaving an exploitable security gap. Common misconfigurations include unpatched systems, default account settings, secure password policy is not implemented, unencrypted files and directories, out of date web applications, unsecured devices, unused features are enabled or installed, unpublished URLs are not blocked from receiving traffic from ordinary users, improper application coding practices, web application misconfiguration, cloud misconfiguration, and insufficient firewall protection. Misconfigurations are often seen as an easy target by cyberattackers, as they can be easy to detect. The following types of attacks target misconfiguration vulnerabilities:
Brute force/credential stuffing. Allows a cyberattacker to guess a person’s username, password, credit card number, or cryptographic key by using an automated process of trial and error. If the attempt is successful the cyberattacker may gain access to confidential data, administrative tools, and sections of the web application that might expose vulnerabilities.
Forceful browsing. A cyberattacker uses brute force techniques to search the domain directory for unlinked contents such as temporary directories or files, old configuration files, and old backup data. These resources allow the cyberattacker to access sensitive information about web applications and operation systems, such as credentials, internal network addresses, and source code. Forced browsing attacks can be performed manually when application index pages and directories are based on predictable values or number generation. Common directory names and files can be attacked using automated tools. The forced browsing attack is also known as active directory enumeration, file access enumeration, predictable resource location, authentication forceful browsing, and resource enumeration.
Injection attacks. Allows a cyberattacker to inject code into a program or query to inject malware onto a computer in order to execute remote commands that can read or modify a database or change data on a website. Types of injection attacks include SQL injection (SQLi), code injection, command injection, CCS injection, SMTP/IMAP injection, host header injection, LDAP injection, and CRLF injection.
Buffer overflow. Overflows a buffer with excessive data, which allows a cyberattacker to run remote shell on the computer and gain the same system privileges granted to the application being attacked. Web servers or web applications that manage the static and dynamic aspects of a site or use graphics libraries to generate images are vulnerable to buffer overflow attacks. These attacks cause system crashes that might place a system in an infinite loop or execute code on the system in order to bypass a security service.
Cross-site scripting (XSS). Allows a cyberattacker to send malicious code to a different end-user without validating or encoding it. In an XSS attack, text containing malicious code (often JavaScript) is inserted into a web page and when a user visits that web page, the malicious code is executed. An XSS attack can steal cookie details, change user settings, and hijack user sessions.
IBM, 2009, IBM Proventia Web Application Security: Configuration Guide Version 1.0