OWASP Top 6 – Security Misconfiguration

owasp top 6

OWASP Top 6 – Security Misconfiguration is ranked as the vulnerability number six on the OWASP-Top 10 list. This vulnerability is the most prevalent on the OWASP top 10 list because it covers the entire set of services, platforms, applications, code, and frameworks in a technological environment.

It is important to mention that attackers will try to exploit unpatched flaws, websites showing error logs, unprotected files and directories, etc. to gain unauthorized access.

There are many ways to protect your system from this type of vulnerability; but there are also many ways in which a system can become vulnerable.

OWASP Top 6 – Anatomy of a Website Attack

We will name only 10 of the more than 300 ways that we have found in which systems are configured without taking security into consideration and thus expose systems to serious vulnerabilities.

  1. Unchanged default credentials on systems or applications.
  2. Applications that open unsecure ports (ports providing access to vulnerable apps).
  3. Unnecessary permissions assigned to users.
  4. Outdated systems.
  5. Webpages configured with unsecure options such as PUT or DELETE.
  6. Websites displaying error log without permissions assigned.
  7. Passwords without an age policy assigned.
  8. Not having a usage policy for USB devices.
  9. Not having a policy for handling email.
  10. Outdated programs installed on users’ computers.

We have named the most obvious, but we can assure you that any of them and the remaining others are critical vulnerabilities that could allow direct access to your internal network from the outside to access your company’s documentation, its databases, and domain servers.

How can RedDefense Global help me to keep my corporate network safe?

RedDefense Global will put your corporate websites and databases to the test. We use advanced scanners, manual penetration testing, and different techniques and procedures that may include crawling, rough tampering, code review, and folder permissions. We do all of this in coordination with your internal staff in charge of your information systems. These procedures are necessary to find out if the potential vulnerabilities are false positives or real vulnerabilities. If they are real vulnerabilities, we will provide you with effective methods to patch, update or remove the vulnerability according to the situation to keep your environment safe.



Additional resources regarding this type of vulnerability: