API7:2019 Security Misconfiguration
Security Misconfiguration is a broad category in which everything that could have been done to improve the API overall security but that wasn't, fall. Usually, security misconfigurations are a consequence of insecure defaults such as a database without authentication or a permissive Cross- Origin Resource Sharing (CORS) policy. Integrating security as a shared responsibility throughout the entire API lifecycle is fundamental to mitigate this risk.
What is the issue?
Issues in this category are very varied, but most of them are caused by insecure default configurations. Assuming this premise, lacking to override the insecure default configuration is the issue.
How does it look like?
Note that we will address a simple security misconfiguration scenario, but there are plenty of others. While requesting a single task from the API the server responds with a 500 Internal Server Error like the one below:
Paying some attention to the response body, on the right, you'll notice that the server returned an internal exception, which is, per se, a security misconfiguration. Why? Because unhandled exceptions/verbose error messages may expose internal or sensitive information.
Back to the example, based on the API server response, we now know that the API is backed by a MongoDB database, running on a server whose IP address is 22.214.171.124, listening on port 27017.
Note that 27017 is mongo's default port number what may make us wonder what other default configurations remained unchanged. Do you know that MongoDB default configuration does not have access control enabled? Yeah, you've read it right: authentication is not required! Trying to connect to the disclosed IP address on port 27017 may allow unauthorized access to the exposed MongoDB server and all available databases:
Where have we seen this issue lately?
According to a recent (2021) report from IBM "Two-thirds of the incidents analyzed involved improperly configured Application Programming Interface (APIs)", which "would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems".
Integrating security as a shared responsibility throughout the entire API lifecycle, also known as DevSecOps (Development-Security-Operations), contributes to mitigate security misconfiguration risks, thinking about application and infrastructure security from the start. DevSecOps also means automation and to prevent security misconfigurations, a repeatable hardening process, as well as an automated process to continuously assess the effectiveness of the configuration and settings in all environments, are fundamental.