Configuration Management / Strict Transport Security Misconfiguration

Description

Strict Transport Security Misconfiguration is a type of Configuration Management vulnerability that occurs in web and API applications. This vulnerability occurs when a server does not properly enforce the usage of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols, which are used to secure data transmission. This vulnerability is cataloged in the CWE directory under CWE-295: Improper Certificate Validation. The OWASP Testing Guide recommends that organizations test for TLS/SSL configuration to ensure that secure protocols are enforced.

Risk

This vulnerability can lead to data leakage, as attackers can redirect requests to insecure channels, or even hijack sessions. Attackers can also perform man-in-the-middle attacks, which can lead to stolen passwords and other confidential information. The risk rating for this vulnerability is rated as high by the CWE directory.

Solution

To mitigate this vulnerability, organizations should enforce secure protocols such as TLS/SSL for all web and API applications. This can be done by ensuring that servers are properly configured to only allow secure connections, and by implementing a valid certificate for encryption and authentication.

Example

The following example is taken from CVE-2019-18935, which is a Strict Transport Security Misconfiguration vulnerability in a web application.

<VirtualHost *:80>
  ServerName example.com
  <Location />
    Header always set Strict-Transport-Security max-age=0
  </Location>
</VirtualHost>

The code above shows an example of the misconfiguration of the Strict Transport Security header. The max-age value of 0 indicates that the browser should not remember that the site is using HTTPS, which allows attackers to force the user to an insecure connection.