Configuration and Deployment Management Testing is a systematic process that verifies the security, consistency, and integrity of system configurations and deployment workflows. It ensures IT systems adhere to secure baselines, prevent unauthorized changes, and minimize risks from misconfigurations or flawed deployment practices.

Application Configuration Management Weaknesses:

  1. File Extensions Handling – Sensitive Information
    Mishandling file extensions (e.g., allowing .bak, .tmp) may expose sensitive data through directory listings or direct access. Attackers exploit misconfigurations (e.g., .php.jpg execution) to upload malicious file.
  2. Old, Backup, and Unreferenced Files – Sensitive Information
    Obsolete files (e.g., database.bak, config.old) left in web directories leak credentials, source code, or API keys.
  3. Unauthorized Admin Interfaces Access
    Exposed admin panels (e.g., /admin, /manager) enable attackers to brute-force credentials, exploit default passwords, or manipulate systems.
  4. HTTP Methods Enabled, XST Permitted, HTTP Verb
    • Unnecessary HTTP Methods: Enabled TRACE/PUT methods facilitate XST attacks (stealing cookies via TRACE) or file upload exploits.
    • Verb Tampering: Misconfigured verbs (e.g., using GET for sensitive actions) bypass access controls.
  5. HTTP Strict Transport Security (HSTS)
    Missing HSTS headers expose sites to downgrade attacks (e.g., SSL stripping), allowing MITM attacks on unencrypted HTTP traffic.
  6. RIA Cross-Domain Policy
    Overly permissive cross-domain policies (e.g., crossdomain.xml allowing *) enable malicious Flash/Silverlight apps to hijack user data.
  7. Role Definitions Enumeration
    Verbose error messages or API responses leak role names, permissions, or authorization schemas, aiding privilege escalation.
  8. Vulnerable User Registration Process
    Weak validation allows fake accounts (e.g., disposable emails), credential stuffing, or automated bot registrations.
  9. Vulnerable Account Provisioning Process
    Insecure workflows (e.g., manual role assignments) lead to excessive permissions or orphaned accounts.
  10. Permissions of Guest/Low Permission Accounts
    Overprivileged guest accounts (e.g., read access to /etc/passwd) enable lateral movement or data exfiltration.
  11. Account Suspension/Resumption Process
    Flaws like failing to revoke tokens post-suspension or insecure reactivation (e.g., no MFA) allow account hijacking

By addressing these weaknesses, organizations reduce risks of data breaches, unauthorized access, and compliance violations.