This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Application Misconfiguration"
David Fern (talk | contribs) |
David Fern (talk | contribs) |
||
| Line 8: | Line 8: | ||
Application misconfigurations are not coding issues but are options and/or features in the application that can be easily exploited such as: | Application misconfigurations are not coding issues but are options and/or features in the application that can be easily exploited such as: | ||
| − | + | *Special access mechanisms, | |
| − | + | *Default usernames and passwords, | |
| − | + | *Default configuration file settings, and | |
| − | + | *Security settings at the lowest possible level | |
This ease of use configurations and settings must be corrected to prevent exploitation of the application and system through these “defaults”. | This ease of use configurations and settings must be corrected to prevent exploitation of the application and system through these “defaults”. | ||
Revision as of 02:03, 6 June 2013
Return to Periodic Table Working View
Application Misconfiguration
Root Cause Summary
Software applications are very complex, to ease installation and configuration of the application many software packages come preconfigured with vulnerabilities right out of the box. Application misconfigurations are not coding issues but are options and/or features in the application that can be easily exploited such as:
- Special access mechanisms,
- Default usernames and passwords,
- Default configuration file settings, and
- Security settings at the lowest possible level
This ease of use configurations and settings must be corrected to prevent exploitation of the application and system through these “defaults”.
Browser / Standards Solution
None
Perimeter Solution
Understand the application and interfacing systems in such a manner that all application permissions, configurable components and files are modified and given least privilege for the specific platform and technology stack to harden the system.
Generic Framework Solution
None
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
Application misconfiguration is not a coding issue and can be difficult secure due to the complexities of applications and networks and is a perfect example of the “Security, Functionality, and Ease of Use Triangle”. The easier the application is to use the less secure it may be.
References
Application Misconfiguration WASC TC
CAPEC-348 WASC Threat Classification 2.0 – WASC – 15 Application Misconfiguration
