Threat Analysis

Welcome to Security Misconfiguration session. In this first part, we will focus on threat analysis. We will take our time to discuss how security misconfigurations compromise application security. Then we will discuss how the system can be harmed, the impact of the successful exploitation, and give you some insights to identify who may want to harm your system. Security misconfiguration is a very broad category. By definition, a misconfiguration is an incorrect or inappropriate configuration. But security-wise, these incorrect or inappropriate configurations lower system resilience, increasing the overall security risk. Things like enable directory listing, public accessible system logs, or unhandled errors with overly informative messages fit in this category. All of them tend to give attackers insights about system internals, making further exploitation easier.

Instead of searching for a zero-day venerability, attackers tend to take the short path first, searching for known issues. This approach has proved to be fruitful. Most applications, such as database servers, have default accounts with administrative privileges to allow the initial setup. Not removing such accounts leaves the door wide open to attackers. Sometimes special pages are used to automate specific tasks. Graphical installers are a good example. They are intended to be used once and then removed. But quite often, they get deployed along with the application. Enable directory listings or public-accessible files such as system logs or backups are easy to find even without touching the application.

The most common consequence of security misconfigurations is the unauthorized access to some system data or functionality. Depending on exposed data or functionality nature, exploitation may become easier. Occasionally, security misconfigurations allow attackers to get control over the system. Firewall or remote access misconfigurations are good candidates to make the system vulnerable. Finding security misconfigurations can be done without touching the application. Using a search engine may be enough to identify exposed directories or files, such as system logs or database backups. Non-tech threat agents such, as competitors or activists, may follow this approach to get access to your system details or business secrets without much effort. You’ll find this table in the OWASP Top 10.

Pause the video, and take your time to carefully read it. In the next part, we will review some security misconfigurations in our target application found in previous sessions while exploiting other vulnerabilities.