DEV Community

Cover image for API7:2019 - Security Misconfiguration
Breno Vitório
Breno Vitório

Posted on • Updated on

API7:2019 - Security Misconfiguration

Hello there, friends! 🤗

Coming next to the end of our series, I'm gonna be writing about API7:2019. As it is a more wide-ranging concept when comparing to the previous API vulnerabilities, I'm gonna be using a little bit different approach for presenting today's topic.

🏞️ Definition

When we access the official page of the OWASP API Security Project, and look at the definition of Security Misconfiguration, this is what we are going to see:

Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.

By reading it, we can assume that any configuration that's in an API and could help, in a sense, bad guys to perform attacks, may be considered a security misconfiguration. The possibilities are many!

✏️ First Example

Let's say that we have an endpoint called /show-logs which is supposed to work only for requests that come from localhost:

GET /show-logs HTTP/1.1
Host: example.com

And whenever we try to perform this request from anywhere else, it gives us the following response:

HTTP/1.1 403 Forbidden
Server: SuperCoolServer
Content-Type:application/json

{
    "message": "You will never be able to see these logs because they're only available for localhost hahahah"
}

It looks pretty intimidating, but if the API was configured in a way that it picks up HTTP headers such as X-Forwarded-For for determining authorization, we have a little a problem here, because the client may just change the value of those headers to localhost or 127.0.0.1, and they will be able to see whatever it's being hidden.

✨ External Examples

API7:2019 has a definition that can match with an extensive list of cases, and because of that, I would like to share some examples from different places rather than writing just an example.

HDIV

OWASP API-Security repo

S3 Misconfigurations

🚨 Attention!

If you are looking for bugs in order to report them in bug bounty programs, don't just look if they "fit" in the security misconfiguration definition, because sometimes, a misconfiguration doesn't represent any harm to the company. Always pay attention to the context where you are inserted at, and go for impact! And avoid reporting things that are out of scope... 😅

Thank you for taking your time, guys! 🤗

Discussion (0)