Let's Learn: OWASP Top 10 - Security Misconfiguration

I've known of the OWASP Top 10 for a while, but I can't say I've ever become deeply knowledgeable of the inner-workings of each. I've always understood them on a surface level that's maybe deep enough to pass your Sec+ or some other multiple-choice exam (not a knock on multiple choice, I just need to gain a deeper understanding than what many of those can offer.) So for now, I'm going to begin by learning a good deal about each. I Googled "Random Number Generator" and got six. Number six is "Security Misconfiguration" according to the 2017 top 10. This means I will spend some time studying up on this and building my knowledge around this.

Link: A6:2017 - Security Misconfiguration

Vectors of attack

  • Unpatched vulns
  • Default accounts
  • Unused pages
  • Unprotected files and directories

According to OWASP, these can "happen at any level of the application stack." This includes network services, platform, web server, application server, database, frameworks, custom code and preinstalled virtual machines, containers or storage. Wow. That's  mouthful.

OWASP lists some potential impacts such as a complete system compromise.

These seem to often be the types of vulnerabilities that HTB and Proving Grounds revolve around: access to the underlying file system, the ability to execute remote commands – those kinds of things.

Many of the machines I've run into in labs such as HTB rely on this kind of thing. For instance, finding a default login/password combination for a web application and having the ability to upload arbitrary files (default accounts, as listed above).

Unpatched vulns are another big one I find in HacktheBox (and other) labs. For instance, you will run into a box running X software version 15.0, and discover that it's vulnerable to remote code execution, so on.

The reality is that it seems to be a pretty broad category, because in the sense that I'm interpreting the reading, a security miconfiguration can be almost any sort of misconfig.

There are certain frameworks OWASP points to that are intended to help users harden servers. It goes over general stuff, such as removing services, applications, etc. and testing the server's underlying OS. You can check that out here.

OWASP itself hosts the Application Sercurity Verification standard. That's found here. These kinds of things are cool reading, because it gives you an idea of what to look for. OWASP also provides a web pentesting standard. I linked to that, and a few other free guides in one of my older blog posts.

Check those out here.