A5 Security Misconfiguration

Owned by Former user (Deleted)
Last updated: Feb 02, 2018 by Former user (Deleted)
2 min read

A5 Security Misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

The primary recommendations are to establish all of the following:

  1. A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically (with different passwords used in each environment). This process should be automated to minimize the effort required to setup a new secure environment.
  2. A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include all code libraries as well (see new A9).
  3. A strong application architecture that provides effective, secure separation between components.
  4. Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.

A5.1 Directory Transversal

This vulnerability exists when an application accepts direct object reference to a specific filename as an input parameter and then servers that file to the user. A malicious attacker can then traverse through arbitrary directories on the server to view files which would not normally be accessible, including sensitive files such as /etc/password.

A5.1.1 Preventing Directory Transversal

Implement ESAPI.validator:ESAPI.validator().isValidFileName(“context”, filename, false)

Learn More:

OWASP Development Guide: Chapter on Configuration

OWASP Code Review Guide: Chapter on Error Handling

http://www.owasp.org/index.php/Error_HandlingOWASP Testing Guide: Configuration Management

OWASP Testing Guide: Testing for Error Codes

OWASP Top 10 2004 – Insecure Configuration Management

http://www.owasp.org/index.php/A10_2004_Insecure_Configuration_ManagementPC Magazine Article on Web Server Hardening

CWE Entry 2 on Environmental Security Flaws

CIS Security Configuration Guides/Benchmarks