OWASP API #7: Security Misconfiguration

This section

As a reminder, we started with this section almost two months ago. Our main purpose, is to share once a week, one of the top cybersecurity attacks that applications are suffering nowadays and help by explaining how you can prevent them from happening.

In each story, we go through ‘Brief explanation’, ‘Is my API vulnerable?’, ‘Attack scenarios’ and ‘How to prevent?’, so by the end you have a comprehensive understanding.

If you missed the previous articles, we encourage you to go have a look. We have already covered:

• Broken Object Level Authorization
• Broken Authentication
• Excessive Data Exposure
• Lack of Resources & Rate Limiting
• Broken Function Level Authorization
• Mass Assignment

API #7: Security Misconfiguration

Having already covered more than half of the OWASP Top 10, it is time to talk about ‘Security Misconfiguration’. Unfortunately for all the ones that are developing applications, black hat hackers are every day on the lookup.

Attackers have certain utilities in place that will crawl the entire web every day in research for vulnerable targets. Guessed who are the first ones that fall for this crawlers? Yes, you were probably right: those that left misconfigured services, with exposed ports and default credentials among others.

Given the above, we are going to be straightforward and cover what configurations you definitely need to pay attention to, so that your applications are more secure.

Brief explanation

In a nutshell, Security Misconfiguration occurs when an application has not been properly configured, exposing ports to the Internet that are not needed having unused services installed or using default credentials among other misconfigurations.

Is my API vulnerable?

Your application is indeed vulnerable if:

• Appropriate security hardening is missing across any part of the application stack, or if it has improperly configured permissions on cloud services.
• The latest security patches are missing, or the systems are out of date.
• Unnecessary features are enabled (e.g., HTTP verbs).
• Transport Layer Security (TLS) is missing.
• Security directives are not sent to clients (e.g., SecurityHeaders).
• A Cross-Origin Resource Sharing (CORS) policy is missing or improperly set.
• Error messages include stack traces, or other sensitive information is exposed.

Example attack scenario

To target a specific service, an attacker uses a popular search engine (shodan.io for example) to search for computers directly accessible from the Internet.

The attacker finds a BI host from an enterprise which is running a popular database management system, listening on the default port. The host is using the default credentials and the attacker is then able to get access to millions of records with PII, personal preferences, authentication data and addresses.

I know it seems simple, but it happens a lot more than you think. As an exercise you go to shodan.io and search for any type of service you want. Just to give you an idea, if you search for “Industrial Control Systems”, you will find a lot that should actually be placed on a private network.

How to prevent?

• Establish a repeatable hardening and patching process.
• Automate locating configuration flaws.
• Disable unnecessary features.
• Define and enforce controls on all outputs, including errors.
• Never use default credentials.
• Only expose used ports.

Conclusion

Although this topic was short, I want to emphasize the importance of it. During my experience both hacking for almost two decades and protecting big enterprises, I have come across this issue a lot more than I would like to.

Having a good culture related to security, can help you save from thousands to millions of dollars. Remember that a single flaw in your system, can let an attacker in, so please don’t use default credentials.

Take your time to create a culture and a work flow in which security measures are set up automatically. Some ways to achieve this, is to automate checks in your CI/CD, using your own hardened AMIs in the cloud and deploying your infrastructure automatically using terraform configurations that already have your security checks in place.

Thank you for taking the time and reading this week’s story on OWASP API TOP 10. As usual, if you have any doubts or need any help, anyone at Strike will be happy to help you. You can reach out to me here or in LinkedIn!

If you want to see daily news, tips and funny memes (yes, we are into that too :D), be sure to give us a follow there too.

Cheers from Strike :)