Misconfiguration

Attacks

Security and misconfiguration attacks

What is OWASP?
The Open Web Application Security Project, or OWASP, is an international non-profit
organization dedicated to web application security. One of OWASP’s core principles is
that all of their materials be freely available and easily accessible on their website,
making it possible for anyone to improve their own web application security. The materials
they offer include documentation, tools, videos, and forums. Perhaps their best-known
project is the OWASP Top 10.
Abstract
The security of a web application depends on the configuration of its web server
and application server. According to OWASP, security misconfiguration vulnerabilities
hapen through overly informative error messages, unpatched security
flaws, misconfigurations that permit directory listing, misconfigured SSL certificates
and encryption settings and other varieties of server software flaws. In Netcraft’s
November 2019 web server survey, Nginx and Apache have ranked the most
popular web servers with 37.47% and 27.44%, respectively. According to the
November 2019 W3Tech survey, WordPress and Joomla were the most popular
content management systems. The most used server-side programming languages
in developing web applications were PHP, ASP.NET and Java.
Introduction
The exponential growth of web applications has led to an increased attack surface for

organizations. According to OWASP’s top 10 projects, security misconfigurations have

been a persistent issue over the years. It ranked number 6 in the 2017 OWASP

top 10 projects. Security misconfigurations can happen at any level of an

appli_x0002_cation stack. Attackers exploit misconfiguration vulnerabilities through

unprotected files and directories, unused web pages, unpatched flaws and unauthorized
access to default accounts. The exploitation of security misconfiguration vulnerabilities ca
n

lead attackers to exploit more critical vulnerabilities and also ultimately compromise

an application
Introduction
As application security becomes sophisticated, refined techniques to prevent data
breaches have been developed but simple human errors remain an issue. Insecure
coding and errors from a developer can result in security misconfiguration vulnerabilities.
The reliance on third-party components to develop web applications can cause
misconfiguration issues. Attackers exploit configuration weakness in applications to
gain knowledge about an application to exploit other critical vulnerabilities, which
can pose a severe risk to organizations. Configuration flaws can lead an attacker to
compromise an application entirely. Poorly maintaining or ignoring unused features
in web applications can leave the application open to attackers. Improper handling
of error messages in applications provides information for attackers to discover
vulnerabilities.
Introduction
According to Contrast Labs research in October 2019, 36% of web applications
are vulnerable to security misconfigurations. The researchers also discovered that
72% of.NET applications have security misconfigurations. In 2018, IBM reported
that data breaches related to improper configurations increased by 424%.

Despite the criticality of security misconfigurations, it has received little attention

in the research field. A lot of research work has been done to detect injection vulnera_x00
02_bilities in web applications. The most recent researches in security misconfigurations
are limited to particular technologies used in web applications.
Tools
we present a tool that automatically scans web applications to detect

security misconfigurations before deployment. BitScanner uses black-box testing

(Dynamic Application Security Testing) to detect misconfiguration vulnerabilities
in web applications. The main contributions of this paper are:
• We proposed BitScanner, which performs enhanced detection of security miscon-
figurations in web applications
 Web Application Security Testing (AST)

In the 2019 magic quadrant for AST, Gartner identifies three main techniques of AST:

• Static Application Security Testing (SAST). SAST is a set of technologies designed

to analyze application source code, byte code, and binaries for coding and design
conditions that are indicative of security vulnerabilities in a non-running state.

• Dynamic Application Security Testing (DAST). DAST technologies are designed

to detect conditions indicative of a security vulnerability in an application in its
running state. DAST tools run on operating code to detect issues with interfaces,
requests, responses, scripting, sessions, data injection and authentication.

• Interactive Application Security Testing (IAST). IAST tools use a combination of

static and dynamic analysis technologies. IAST tools use knowledge of application
flow and dataflow to create advanced attack scenarios and perform a dynamic scan.
IAST tools are proficient at reducing the number of false positives.
OWASP Top WASR
Conclusion

Security misconfigurations are identified to be part of OWASP’s top 10 critical web

application security risks but have less attention in the research area, we presented a too
l, BitScanner, to detect security misconfigurations in web applications.