Security misconfiguration occurs when system security settings across application stacks—such as servers, databases, and networks—are inadequately implemented or left in their default states. These missteps expose critical vulnerabilities that attackers can exploit.
CWE-863: Incorrect Authorisation occurs when an application fails to enforce correct authorisation measures, allowing unauthorised users or processes to access resources, perform operations, or retrieve data that should be off-limits. It is sometimes conflated with authentication flaws, but the essence of CWE-863 lies in improper or missing checks that would otherwise confirm if a user has the necessary permissions to perform a specific action.
From a technical standpoint, one might imagine an application employing robust identity verification (authentication) only to overlook critical checks about what a user is allowed to do once logged in (authorisation). This oversight can be the gateway to data leaks, privilege escalation, or even sabotage of core business processes.
Improper inventory management refers to the failure to adequately track and manage the lifecycle of APIs within an organisation. This includes:
– Keeping track of all deployed API versions.
– Documenting endpoints, their functions, and access control requirements.
– Managing deprecated or unused versions.
– Ensuring that sensitive or debug information is not exposed via endpoints.
– Auditing and monitoring API usage regularly.
When APIs are not properly inventoried, organisations may unknowingly expose insecure or deprecated API versions to the public. This can lead to serious security issues, as older versions may lack critical patches or expose debugging functionality that provides attackers with valuable information.
At its core, **security misconfiguration** occurs when the security settings of an API or its supporting systems are improperly configured or left at their default settings. APIs often rely on a wide range of underlying infrastructure, including web servers, databases, cloud services, and identity management systems. Each of these elements needs to be configured in line with security best practices to ensure the overall security posture of the API.
Misconfigurations can arise at any stage in the API lifecycle, from development to deployment, and they are not limited to a single type of vulnerability. They may involve poorly configured authentication mechanisms, incorrect access control settings, or vulnerabilities in third-party services integrated into the API ecosystem.
SSRF vulnerabilities occur when an API fetches a remote resource using a user-supplied Uniform Resource Identifier (URI) without adequate validation. This oversight allows attackers to manipulate the request, coercing the server to interact with unintended destinations. These attacks bypass traditional network controls like firewalls and VPNs, making them particularly insidious.