9. Security Misconfiguration

Security Misconfiguration

Category: #Configuration-Based-Attack

Attack: Security misconfigurations occur when security settings are incorrectly implemented, such as default credentials left enabled, unnecessary services running, or outdated software in use.

Attack Example:

• Default Credentials: Using the default username/password combinations like admin/admin for web applications.
• Exposed Admin Panels: Leaving sensitive administrative panels exposed without proper authentication.

Vulnerable Configuration Example (Apache):

# Default configuration with directory listing enabled and no security headers
Options Indexes FollowSymLinks
AllowOverride None

This configuration exposes the directory listing and lacks security headers like X-Frame-Options.

Remediation Steps:

• Harden Server Configurations: Disable directory listing, limit HTTP methods, and enable secure headers.
• Patch Management: Regularly update the software and libraries to patch known vulnerabilities.
• Disable Default Accounts: Ensure default credentials are disabled and accounts are secured.
• Automated Scanning Tools: Use security configuration management tools like CIS-CAT, OpenSCAP, or Lynis.

Safe Configuration (Hardened Apache Configuration):

# Secure configuration for Apache
Options -Indexes  # Disable directory listing
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
TraceEnable off  # Disable TRACE HTTP method

Reference: OWASP Security Misconfiguration