Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
API Security, OWASP, Attacks, Vulnerabilities

API7 Security Misconfiguration


API7:2019 Security Misconfiguration

Threat agents/attack vectorsSecurity weaknessImpacts
The threat vectors can vary quite a lot here, it can range from not encrypting traffic between servers to having a shadow API on the network that is not maintained and poorly configured to allow for SSH access.This vulnerability can occur on any level that requires configuration, ranging from the network to the application level. This vulnerability can be tested manually but if you have access to the source code and even if you do not it is certainly recommended to run automated tools as they can reliably identify and report on known issues.This vulnerability might lead to an attacker being able to fully take over all the infrastructure even so this is an issue that should be handled with great care.
API7 Security Misconfiguration

What is Security Misconfiguration?

There are several factors that might indicate a Security Misconfiguration. We should be very careful with handling configurations because if the correct security measures are not in place to protect our APIs, an attacker might be able to take over the full infrastructure. Best way to secure web API - Wallarm Platform

We have to ensure all our systems are always up to date to avoid old exploits working on our systems. Following up on this, if our systems are up to date, we have to disable any unused functions like http PUT calls.

All our data should always be transported over a TLS channel to avoid that an attacker can perform a MitM attack.

Make sure all your security headers such as CSP are working correctly and configured wherever needed. With CSP enabled we should also run a CORS policy and configure it properly or you might open yourself up to Security Misconfiguration vulnerabilities.

Furthermore as a last point we can claim that security misconfigurations happen when the end user is able to see error messages or warnings. These should only be logged and viewed internally.

How to detect Security Misconfiguration?

First of all, it is really important that we look to get an overview of our entire application architecture. We need to gain visibility by creating a mindmap or a schema.

mindmap application architecture

Make sure you include everything in here, from printers to smart thermostats and mobile phones. These days you should even include watches if your company allows smartwatches to connect to the network.

Now that we have everything mapped, we need to scan it for security misconfigurations, we can do this manually or with a scanner. To do this manually, go over all the assets, workflows and everything else you gathered and confirm they are configured correctly. You are looking for things like passwords sent over plain text or unencrypted communication on server x.

Hybrid-cloud environments and Security Misconfiguration

Hybrid-cloud environments and Security Misconfiguration

A lot of people are against hybrid environments but it's been given a bad rep due to the misconfigurations that are often present on these environments with improper network protection and execution. This can often lead to vulnerabilities, we will go over a few of them.

First of all it is really important to encrypt all the traffic that moves over the network to give attackers who perform a man-in-the-middle attack no chance to eavesdrop on the data being transmitted.

If we want to set up a complex environment like this, we have to perform a really thorough risk analysis as well , but this is often overlooked or not executed due to budget constraints. It's really important to have rigorous risk assessment in place and evaluate it from time to time.

What is also vital is proper security management is implemented. Sometimes shortcuts will be built in for testing purposes that make it to the production environment, this should never happen but also the intended authentication methods should be strong and should not allow for attacks.

Our different cloud environments need to be coordinated carefully and we need to assure the fall within compliance rules. This is extra important in hybrid-cloud environments where two clusters might need to communicate at any time.

There are many more things we can do to protect our environment, make sure you always define proper SLAs and do not leak data that should not be leaked.

Example Attack Scenarios

I am again going to draw from experience here as I think it's an interesting avenue that should give you a better idea of how this issue manifests in a real production environment.

I was testing and I found a manual that told me I could not disable the super admin accounts, that's enough for me to go and try if this actually is true. As a tester, I have to verify everything and I can not make assumptions

DELETE /users/

Where user 123 is a super admin

That was the easiest 125 euros I ever made.

Another example that comes to mind is when I found a server which had their HTTP configured improperly which had disastrous consequences. Due to anonymous PUT file upload, I was able to upload an exploit that gave me a reverse shell via PHP. POST was disabled properly but they forgot the PUT method.

POST /files
    "binary":"BINARY FOR FILE"


403 - forbidden
PUT /files
    "binary":"BINARY FOR FILE"


200 - ok

I can then easily call my file from the browser.

GET /files/test.php

Where test.php is a reverse shell to the server. The HTTP Put method should have been disabled but it was not. This is a clear Security Misconfiguration.

A final real life scenario is going to be about Admin-level API keys being leaked to all users, this is clearly a misconfiguration:

An error occurs here because of the implementation of the limits service in 4.0.0 of github. All the users had to do was call on a specific API endpoint if they are authenticated and they view the admin-level API Key. This leads to an issue with serious impact as normal users can perform a privilege escalation to administrators.

Preventive measures against Security Misconfiguration?

  • To be safe, we have to judge and adjust the security on a regular basis both on it's own and when put into a production environment to prevent Security Misconfiguration
  • We have to perform a regular review of our API's configuration files while keeping the whole technology stack that has been used in mind.
  • Never use insecure channels of communication and make sure you judge this keeping all communications in mind, especially in Hybrid-cloud environments
  • Automation can help us in detecting common Security Misconfiguration, Design and implement a proper strategy to automatically scan your APIs.
  • We can use scheme based validation on the responses of the API to validate they meet the criteria and do not send out misconfigured information like full error messages.
  • Don't allow any HTTP method that is not needed for your API, you should work with whitelist based filtering wherever possible.
  • If your API needs to be accessed from browser-based clients we have to consider implementing a proper Cross-Origin Resource Sharing (CORS) policy.


Security Misconfiguration vulnerabilities are really easy to overlook while testing manually so it's always advised to combine the manual testing with the automated testing because popular scanners can detect and report on common Security Misconfiguration vulnerabilities. According to our OWASP Top 10 rating in 2021, this vulnerability moved to 10th place.

Watch the video:



Subscribe for the latest news

March 5, 2024
Learning Objectives
Subscribe for
the latest news
Related Topics