What is Security Misconfiguration?

No. 8 on the 2023 OWASP API Top 10 vulnerabilities list is security misconfiguration. Vulnerability 8 is a catch-all for any design flaws in an API that could make it vulnerable.

OWASP says of this flaw, “Attackers will often attempt to find unpatched flaws, common endpoints, services running with insecure default configurations, or unprotected files and directories to gain unauthorized access or knowledge of the system. Most of this is public knowledge and exploits may be available.”

How Do Security Misconfiguration-related Exploits Work?

OWASP gives this example:

A social network website offers a “direct message” feature that allows users to keep private conversations. To retrieve new messages for a specific conversation, the website issues the following API request (user interaction is not required):

GET /dm/user_updates.json?conversation_id=1234567&cursor=GRlFp7LCUAAAA 

Because the API response does not include the Cache-Control HTTP response header, private conversations end up cached by the web browser, allowing malicious actors to retrieve them from the browser cache files in the filesystem.

An attacker could also find new endpoints on the API that are used only by the DevOps team and are not documented.

Another example is administrative web interfaces that are supposed to be locked down but are sometimes left exposed. phpMyAdmin is notorious on this front.

How to Prevent Security Misconfiguration

Having a strong security mindset at the outset of development can help to identify the possible security misconfiguration vectors upfront and to develop monitoring/alerting scripts to ensure those misconfigurations never occur in production. This assumes your development team has strong security chops or is working closely and effectively with a security group.

However, the fact is that many enterprises are running APIs they didn’t even develop in the first place. Even if they did develop the APIs, the original developers might be long gone, and the tribal knowledge of security misconfiguration vectors is nowhere to be found. In this case, look to rigorous pen testing and aggressive restraints that limit the interface to only the known-good interaction paths.

How Our Approach Is Unique

Real-time Blocking

Some API security solutions simply highlight potential API vulnerabilities, leaving security teams to investigate and recommend code changes. Other API solutions can identify an attacking IP but require security teams to try to model the complex behavior in a third-party WAF (or try to block one IP at a time after the fact). ThreatX by A10 Networks doesn’t just show API vulnerabilities or attempted attacks, it also blocks API attacks in real time. ThreatX proxies and scans all inbound API traffic, identifying and blocking attacks.

ThreatX recognizes attacker behavior indicative of an attempt to exploit security misconfigurations, then flags and watches that user. This real-time monitoring enables ThreatX to execute advanced threat engagement techniques, such as IP interrogation, fingerprinting, and tarpitting. When a series of user interactions cross our default (or your customized) risk threshold, the attack is blocked.

Step One of N…

In many cases, attackers aren’t just going to attack by attempting to exploit a security misconfiguration; they’re going to string together a series of attacks over time, often using federated and sophisticated botnets. Countering this approach requires the ability to correlate attack traffic across multiple IPs, the use of advanced bot protection, and the ability to detect identifiers and techniques to associate the traffic to a unique attacker. Rather than requiring a single, significantly risky event or identifying a known signature, ThreatX analyzes behaviors from multiple vantage points. This allows the ThreatX platform to identify and block more threats, more accurately than competing API security tools.

Fewer False Positives

As risk rises, ThreatX immediately blocks an attack. ThreatX blocking modes are designed to block malicious requests and deter suspicious entities from attacking APIs, while allowing benign traffic and real users through. Legacy WAFs struggle with false positives because they only make blocking decisions based on rules, but attackers and legitimate users don’t always follow the rules. Sometimes a legitimate user who forgot their password looks like an attacker, and sometimes an attacker cycling through usernames and passwords looks like a legitimate user. ThreatX can tell the difference.