API-08 Security Misconfiguration

Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer

Get a Demo

Katie Paxton-Fear

Security misconfiguration covers a wide range of different attacks and the outcome could be a user receiving an error page with too much detail, or the ability for an attacker to execute code. While there are a lot of different flaws under this label, we’ll cover some of the more critical impacts. When developing any piece of software it’s important to fully understand the security features available and ensure if new features become available that they are enabled and implemented. Keeping software up to date is a great way to prevent some of these flaws, but it’s very important that you do not intentionally disable security features hoping for an easier implementation!

Now one of the most popular social networking websites Suzy is very busy! Her bustling and active user base has allowed her to even hire developers. But, her rush to the market has meant that some parts of her code are not as well designed. While eventually she promises herself, she will rewrite this code, she hasn’t yet. One of the things Suzy’s Social has been known for is producing very descriptive error pages, with a full stack trace. This has been helpful for Suzy so far because she has been able to track down bugs easily once the page is shown to her. It has also been helpful to Adam, our attacker, who has been using these messages to find out what software stack she’s using, exact version numbers, and vulnerabilities. Suzy’s team do not like to disturb the older, legacy code, and tend to avoid updating it for fear it will take down the website again. This is great for Adam, who can just use any new vulnerabilities on Suzy’s Social using her same tech stack, and all the payloads are often available on GitHub or in the slides of a security researcher’s latest talk. Recently he even found a full remote code execution and was able to take a copy of the entire source code! All from some code uploaded to pastebin after noting the micro framework Suzy’s Social was employing, turns out a slightly out of date dependency for logging was easily exploited with a simple one line command.

In this example, Suzy’s use of the “debug” mode on her framework enabled the attacker, Adam, to craft a targeted attack by examining her code and dependencies. While this issue alone is not a critical bug, this information allowed Adam to try a more severe vulnerability on a dependency. Despite Suzy’s team knowing this was insecure and knowing this was an issue, they chose to ignore the security configuration advice because it enabled an easier workflow. If they had resolved this and hidden error messages, they could have noticed Adam’s attack sooner as he would have had to have tried many more payloads, endpoints and general experiments.

To prevent these flaws you should always be aware of security advice for software packages, dependencies or tools you are using and to not intentionally switch these features off. By creating a full API inventory you can monitor each against best practices, ensuring robust application security.