🧱

A05 - 2021: Security Misconfiguration

What is Security Misconfiguration?

Threat Agents / Attack VectorsSecurity WeaknessProperty
Bad actors can abuse this issue type in a number of ways but this issue can propagate in a number of ways as well so that is to be expected. The attackers can search out systems that require patching, use default credentials on existing applications or try to guess passwords to gain access to some accounts who have configured a weak password. Another technique could be to get access to pages behind a login page which are not protectedThis issue type can cause a security weakness on all levels of the web app and an architect should carefully evaluate the full configuration of the network. If they do not, they run the risk of attackers using their own misconfigurations against them. Containers can also not escape the festivities as they might also contain vulnerabilities if configured incorrectly. This often goes for orchestrators as well which will control the containers.These issues often lead to the disclosure of files to the attackers but it can even lead to full system takeover if the misconfiguration is too bad. As for the business stakeholders, it really depends on how they value the data that is being compromised and how the application functions.

I believe this name was chosen to be as ambiguous as possible for one of the Top 10 OWASP vulnerabilities. It can encompass anything and everything related to configurations but if we do some effort it is possible to define a general testing guide for security misconfigurations by looking at the common properties of all the issues we can find in write ups and activities.

How to identify Security Misconfiguration

The following properties of a system will indicate a likely vulnerability though some of these properties are a bit more ambiguous and harder to test.

To prevent these kinds of vulnerabilities, we can implement some mitigations.

All of these best practices serve to cover a particular goal but we also need to know what these goals are so we can test with precision.

Test network infrastructure configuration

This can be anything from an exposed admin panel to known server vulnerabilities. Pretty much any attack that can be performed over the network and relies on configuration can be put into this category.

Cloud storage misconfigurations

Companies often use services like S3 buckets from amazon without properly understanding them. This might lead to misconfigurations happening which could allow things like unauthenticated access.

Testing alternative HTTP methods

Just like we already talked about in chapter 5 (Broken access control), we can use the OPTIONS http method to find out which http methods we are able to execute and sometimes this might concern http methods which are not fully implemented on the server.

Test HTTP Strict Transport Security

This is not interesting at all for bug bounty hunters but pentesters should reports this as a best practice. A website should always force the user onto the https version of the website.

So how do we hunt for this?

Hunting for security misconfigurations requires some special conditions because you need to either have a confirmable guess at a certain configuration or have access to how a system works by for example looking at it's source code on github. You will also need to confirm these findings though since an unconfirmed vulnerability isn't really one at all.

We can start by doing some google dorking and looking for conf files or yaml or xml or anything related to configurations.

```xml

filtype:cfg or filetype:yml or filetype:xml or intitle:"Config" or ...

```

Besides google dorking we can do the exact same thing for github where we might have some more luck as usually developers will mask things like passwords by putting them into environment variables but they leave all the other settings in plain sight.

Whenever you come across a configuration file it is up to you to find out exactly what every setting is for and if that setting can be unsafe by simply googling around and even just reading the manuals of the components for which those config files serve.

Security Misconfiguration example

A good eye for detail netted this hacker 300$ by hunting down an API key while doing bug bounties.

https://hackerone.com/reports/1066410

During his attempts we can see he found a file containing a google API key. This API key was used for shortening URLs which would allow an attacker to mask their URLs as a URL of the company. This can lead to all kinds of phishing and scamming attacks. During the attack, it was also noticeable that an open redirect was possible where the url “https://lnk.clario.co/?link=[URLHERE]would accept any URL, as long as it had “clario.co” in it. These are some great examples of security misconfigurations where we have private tokens in a public script and where an open redirect was possible on a different endpoint.

Another great example was found by a user called “yourdarkshadow” who discovers that a header is not set properly leading to a security misconfiguration. https://hackerone.com/reports/12453 This was the Strict-Transport-Security header which protects websites from so called “downgrade” attacks.

How to fix Security Misconfiguration