The failure of the system to validate the user even after the user authentication is called Broken Access Control. This allows the user to bypass the basic access controls without proper validation. This leads to admin-level data exposure which in turn may lead to several other complications. It obtained fifth place in OWASP’s top 10 vulnerabilities.
Things that can cause broken Access control include
- Modification of URL to bypass access control checks using random API tools
- Changing the primary key to another user’s record, viewing or editing someone else’s account
- Manipulating the metadata by tampering or damming the JSON web tokens or cookies to access the special privileges
- Abuse of JSON web tokens invalidation
- Misconfiguration of Cross-Origin Resource Sharing may lead to unauthorized API access
- Forcing the system to authenticate unauthorized pages.
- Accessing API with unavailable commands like POST, PUT, DELETE.
Prevention of broken Attack
- Do not name the target pages with meaning instead use an array of key-value pairs to reference your objects
- Access to functionality should be denied by default except for public resources
- One has to ensure that the webserver directory must be disabled
- Metadata files and backup files should not be present in the webroots
- JSON Web Tokens should be disapproved on the server once the user has logged out
- Rate limit API and control access has to be minimized to prevent the harm from automated attack tooling
- On the instance of repeated log failures alert the admins
Security Misconfiguration
Misconfiguration occurs whenever the system fails to meet the security framework standards. It may occur at the application server-side, application stack level, or even at the network side. Non-identification of these flaws may sabotage and compromise the entire system. It is listed as the sixth most serious threat to OWASP’s top 10 vulnerabilities.
Misconfigurations are generally caused due to man-made errors. It usually arises when security settings are not properly defined. Non-maintenance and failing to update the application from time to time to mitigate new advertisements.
It is an easy target for the attackers and it is easy to detect one.
Once the system falls into the trap of vulnerabilities due to lack of proper security, it may be very difficult to retrieve the system.
What causes security misconfigurations?
- Unpatched systems
- Default/ Out of the box settings
- Unencrypted files
- Old and outdated web servers
- Unsecured web applications
- Web application and cloud misconfiguration
- Insufficient firewall protection
These flaws will help the attackers to explicitly access the data which may lead to system compromise
Prevention of security Misconfiguration
- A simple platform with required features, components, documentation, and samples.
- Uninstall or do not design unused features and frameworks.
- Make sure to share the necessary security directives to the clients.
- Deploy an automated process to validate the effectiveness of configurations and settings in any sort of environment.
- An automated task has to be scheduled to review the update configurations of all security notes, updates, and patches as a part of the patch management process.
- Timely review the cloud storage permissions especially the bucket permissions.
- An application must be architectured in such a way that it has to be well segmented at the time of design. It has to provide separation between components or tenants, with containerization and cloud security groups.
- One has to deploy a rigid firewall that may identify any sort of security misconfiguration and alert the user.
WAF – Web Application Firewall
Security Misconfiguration can be prevented with the help of a web application firewall (WAF). A WAF serves as a filter between the server and the web traffic.
A WAF works based on a set of rulesets, the most common type of ruleset used across any WAF is OWASP Top 10 ModSecurity rulesets. StrrongBox IT’s Modshield SB works on the core ModSecurity rulesets, which can avert SQL injections during the time of the attack.
Get a 14-day free trial.