Skip navigation to main content

OWASP : Security Misconfiguration

This is the fifth in a series of posts on the OWASP Top Ten

Using Google to Hack

So for this post, I'm going to indoctrinate you into a wonderful hacker resource; The Google Hacking Database or GHDB for short. The GHDB is a database of Google Searches that finds sites/pages that hackers could use to find hacking targets. Generally speaking, most of the sites that pop up after running these searches are a direct result of Security Misconfiguration.

For example, this entry (inurl:"*.php?*=*.php" intext:"Warning: include" -inurl:.html -site:"" -site:"" -inurl:"*forums*") will find forum sites which contain a PHP error description. The fact the error occurred is by-the-by, what is interesting to a would be attacker is several other things that the detail of the error message provides:

  • It tells us the server is running a PHP interpreter.
  • It tells us the location of the file that has caused the fault.
  • It may tell us the name of the application that has been installed
  • It may tell us detail about the way in which the server directory structure is set out
  • It may tell us the type of operating system the server is running
  • It may tell us that the server application is vulnerable to a known flaw
  • It may also tell us that the system administrator has neglected the site, and is not really watching what happens to the site via either the web or the logs… plenty of time for us to poke about.

That's quite a lot of information that we've been provided by a simple error message.

The only reason that this message is being displayed is because of a single configuration setting in PHP says to print error messages to the browser. By default this is turned on, because when you first set up a website, this type of error can help you debug the webserver configuration. But after it's running and working, you should really be monitoring runtime errors such as this via logs, and turn this setting off.

So this is really an example of a lazy system administrator, not changing default settings… So we likely also now know that the administrator of these sites may have also left other settings as their default… more juicy information to exploit!

Lazy Admin

As far as the OWASP Top Ten is concerned Security Misconfiguration covers scenarios such as the following:

  • The web application server configuration permits error messages  and stack traces to be printed to the browser. This is bad for the reasons explained above; error messages tell us much more about the system than simply an error occurred.
  • Example web applications provided with the server software left installed, providing attackers with the ability to leverage known vulnerabilities in those sample applications… which should have been removed.
  • The application web server configuration permits directory listings to be printed to the browser. This allows an attacker to traverse the directory structure of your server, looking for other applications, password files or private keys (One I made myself, just now!). Again, this is an easy fix. Lazy Admin!
  • Most applications have a login page for admins. Leaving this in the default location or exposing it at all makes it considerably easier for an attacker to start trying logins! Again, this is usually quite easy to fix.
  • Not patching your application server, libraries, database server or applications themselves against known vulnerabilities leaves you open to attackers exploiting these vulnerabilities. Doh.
  • Leaving ports, features, services or accounts enabled after they were installed by default or are no longer required, gives attackers another route to compromising your server.

I know I've said that this applies to web servers, but so many IP devices (Routers, Switches and Firewalls for example) also have web interfaces, that the same applies to them also. They have default admin accounts, that once you have your device setup, and proper credentials distributed, should be removed or have those defaults updated.

This is the first of the OWASP Top Ten that really targets System Administrators rather than developers or architects. It's really easy to get this wrong and leave a nice breadcrumb trail for attackers to abuse. But frustratingly easy to avoid falling victim to. "Harden and Patch" should be humming in the blood of every good system administration team.

Ed: Check out this news article from this mornings press on a stunning Security Misconfiguration fail!

Next Time : Sensitive Data Exposure

Join the conversation on Twitter @OWASP   #OWASPtop10   #security #misconfiguration