Overview: Security Misconfiguration

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 30 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Number 5 of the OWASP Top 10 in 2021
00:00
is security misconfiguration.
00:00
Our learning objectives are to describe
00:00
the changes from OWASP Top 10
00:00
2017-2021 and explain the CWEs
00:00
that make up security misconfiguration.
00:00
I guess we can also make this plural.
00:00
Security misconfigurations,
00:00
there could be more than one.
00:00
What happened between 2017 and 2021?
00:00
This category moved from the number 6 spot up
00:00
one to the number 5 spot in 2021.
00:00
It took that major leap,
00:00
actually just that step.
00:00
I guess you could say one spot
00:00
because of the shift in highly configurable software.
00:00
There's a whole lot more middleware now,
00:00
developers are using middleware.
00:00
There's a whole lot more software out there
00:00
that you can configure in different ways.
00:00
I remember when I was first
00:00
making vulnerable labs and I was trying to
00:00
configure whatever application I was deploying.
00:00
In addition to it being vulnerable,
00:00
being outdated or something like that,
00:00
I also wasn't aware about things like file permissions.
00:00
If I chmod it or
00:00
ch-modded files in a Linux environment to 777,
00:00
I will make it globally readable, writable,
00:00
and executable, which of course
00:00
is really bad if that file
00:00
is sensitive and contains important information,
00:00
configuration information by chmod whole directory 777.
00:00
That can be really bad because anybody can
00:00
read it and write to it.
00:00
Just not knowing about
00:00
the environment that you're deploying
00:00
can be very dangerous.
00:00
Not knowing about the software that you are deploying and
00:00
configuring and a lack of
00:00
knowledge of it can be pretty dangerous.
00:00
Developers really need to know what they're deploying,
00:00
what configuration options there are,
00:00
and if there are possibly,
00:00
potentially dangerous configuration methods
00:00
by default that have been deployed.
00:00
For example, default username and
00:00
password is a big one for admin consoles.
00:00
Developers should know that they need
00:00
to change something like that.
00:00
Another part of this is we have a great course on
00:00
XXE, XML external entities.
00:00
That's now part of this category because
00:00
misconfigurations can
00:00
lead to an XXE exploit attack.
00:00
Also, we went from three CWEs in
00:00
2017 all the way up now to 20 in 2021.
00:00
Quite a jump there, as is with most of these categories,
00:00
a giant jump in CWEs.
00:00
Let's look at the factors here.
00:00
Again, 20 CWEs,
00:00
max incident rate is almost 20 percent.
00:00
The average weighted exploitability is pretty high,
00:00
8.12 so it's very easy to use to exploit,
00:00
and the impact is also somewhat high at 6.56.
00:00
The total occurrences being a little over 208,000 and
00:00
the total CVEs specific to software is 789.
00:00
Not a lot as we've seen in other categories,
00:00
but it looks like the exploitability
00:00
is one of the highest that we've seen thus far.
00:00
I encourage you to go to the OWASP site
00:00
down here that discusses more
00:00
about security misconfigurations and
00:00
why it's in the number 5 spot.
00:00
Let's look at the CWE specifically.
00:00
The ones that are highlighted
00:00
here are the ones from 2017.
00:00
You'll see the seven pernicious kingdoms.
00:00
I encourage you to look up a lot of these CWEs.
00:00
Again, it's impossible to memorize them.
00:00
But you'll see the word misconfiguration here a lot.
00:00
You'll see the word sensitive information,
00:00
cleartext storage of sensitive information.
00:00
We can see that in cookies and configuration settings,
00:00
passwords and configuration files.
00:00
Inclusion of sensitive information in an include file.
00:00
It's being in files,
00:00
but it's also in stack traces.
00:00
An error can tell a whole lot of
00:00
information about the environment that we're in,
00:00
and that is also dangerous as well
00:00
for exposing sensitive information.
00:00
We'll look at the rest of these.
00:00
Again, more sensitive cookies and
00:00
HTTPS without the secure attribute.
00:00
Use of hard-coded, security-relevant constants,
00:00
improper restriction of XML external.
00:00
There's our XXE right there,
00:00
missing custom error pages,
00:00
improper restriction of there's another XML there with
00:00
DTD document type definitions
00:00
and sensitive cookie again,
00:00
without the HttpOnly flag.
00:00
I see this a lot where HttpOnly flags,
00:00
cookies don't have the secure flag or HttpOnly flag,
00:00
it's a common one in pen test world,
00:00
also will see the old category here of
00:00
OWASP Top 10 2017, category A6.
00:00
You've seen a few ASP.NET
00:00
vulnerabilities in the previous slide.
00:00
Here's another misconfiguration,
00:00
improper model validation.
00:00
In summary, we've explained why
00:00
security misconfigurations
00:00
went from number 6 in 2017 up to
00:00
number 5 in 2021 and we've gone over
00:00
the CWEs that make up security misconfiguration.
Up Next
Scenario: Misconfigured Jenkins Servers
10m
Lab: Misconfigured Jenkins Servers
45m