A5 Security Misconfiguration
Introduction
Security Misconfiguration has a very board section and it overlaps with A6 Sensitive Data Exposure as it is likely that due to Security Misconfiguration will result in Sensitive Data Exposure. Security Misconfiguration ranges from server misconfiguration to website misconfiguration. Much of this can cause leakage of sensitive information and can help the attackers gather information on the server or the website so that they can plan on their attacks. Some of the security misconfiguration can cause vulnerability to the server and allow backdoor access to the website. An example will be the encryption being used is being misconfigured resulting in a BEAST vulnerability.
Tools needed:
-
BurpSuite
-
TestSSLServer.exe
-
sslyze.exe
-
Any web vulnerability scanner available
Video
BEAST vulnerability
Other possible methods:
Some tips of solving the vulnerability is to:
-
Check for any caches downloaded contains sensitive information
-
Remove all comments before uploading the code online
-
Use the best encyrption that is available
-
Remove/disable default accounts or change the password of the accounts
-
Engage the best practices and test the configuration in the links below:
https://www.owasp.org/index.php/Configuration
https://www.owasp.org/index.php/Testing_for_configuration_management
