Learn about how attackers access default accounts, error messages, and other testing and debugging features to gain unauthorized access to or knowledge of the system.
- [Instructor] Number six in the OWASP Top 10 is misconfiguration. The idea here is that every application depends on several software and infrastructure components, each of which has particular features and settings that need to be configured. If these software and infrastructure components are not configured securely, then hackers can take advantage of the insecure configurations and attack the application. The important thing to understand for the misconfiguration category of OWASP Top 10 vulnerabilities is a concept called least privilege.
This is a fundamental security principle and the idea is that access to any particular data, resource, or function should always be limited to only those individuals who need access. Another way to think about it is that access to everything should be shut off by default and access should only be allowed as needed for each individual's role. Let's talk about a physical example of least privilege. Last year, my husband and I hired a general contractor to manage a major renovation to our house.
There were many individuals who required various kinds of access to our house during the design and build phases of construction. This included architects and designers, carpenters, plumbers, electricians, inspectors, et cetera. We made documentation available to these folks including blueprints and permits. We also created special access points into our home including scaffolding and opening up various walls and private rooms. The important thing is that when the construction was complete and the space was ready for us to use, all of this access was taken away.
We did not just leave the documentation on our front porch for anyone to read and we did not leave the scaffolding up so that people could access our roof or enter the house through the second floor windows. We also closed up the walls and changed the locks on the doors. Similarly in software development, various software and infrastructure components can be configured to allow for special access while the software is being defined, designed, developed, and tested. When the software is ready for release, these debugging and testing features should be turned off or otherwise configured securely.
One example of a debugging feature that can be overlooked once an application is released into production is that of error handling. When an application is being developed, error handling messages can be extremely useful in terms of helping someone who is trying to make an application function or test how it works. By their very nature, error messages often reveal fairly intimate details about exactly what's going on when an application is operating.
This can be exactly the type of information that you would not want a hacker to have access to because it can offer clues that can assist an attacker with carrying out their malicious objectives. So, error handling should be turned off once an application moves into production. Another way in which an attacker can take advantage of an insecurely configured software environment has to do with default passwords. The idea is fairly simple. Various software and infrastructure accounts ship with default passwords.
If these passwords are not changed, they can be easily guessed or found out by an attacker who simply uses the default passwords to log in to various accounts and take over from there. The default password for administering various software and infrastructure components that make up an application software environment is sometimes hilariously simple. One example is an account called admin that also has a password of admin.