A6 2017 – Security Misconfiguration

Security misconfiguration is a blanket term for a broad specter of vulnerabilities. We won’t look at specific examples today. I want to draw some scenarios that you might find interesting, so you can avoid them.

Imagine that you have military grade secure web application that runs on server with iLo published to the internet, and as if it isn’t enough it has default login and password. So what? You might not know default password for stuff you’ve never seen. Don’t worry, we’ve got you covered:


Ok, here’s another example. Let’s imagine that we have a bulletproof web application, tested back and forth and you run it on server that hasn’t been patched for a decade. What’s going to happen? You can easily detect what platform web page is running on. You can use wappalyzer plugin for your browser to get similar result: a6-1

Or you can use whatweb tool to discover even more:

and then go to some exploit database and find its vulnerabilities.

Here’s another trick. Most sites nowadays use an encryption. Great, security for the win! But not every encryption is equally good. There are a lot of technologies and algorithms to encrypt a transmission between a user and a web site but most of them are not safe by today’s standards.  Older SSL are vulnerable to heartbleed, poodle, beast and other kind of attacks. Encryption algorithms become outdated, nobody in a sane mind would use RC2 or DES to encrypt anything today. And you can easily check if encryption is in good health with tools like sslyze or tlssed.  It looks like this:


These examples are in fact take place in early stages of a typical penetration testing during information gathering phase. Pentester tries to identify promising attack vectors to find security misconfiguration and exploit it. And beware that most of these flaws are easily detected automatically with appropriate tools.

The rule of thumb here is to get rid of anything what isn’t in use and what is left has to be hardened.

Debugging must be turned off, default accounts must be disabled, unnecessary services must be shut down.

Keep in mind that hardening is not a single action, it’s a process. You have to review configuration on regular basis and improve it. To get started with hardening check best practices guide from your software vendor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: