Misconfigured .htaccess
TLDR: Misconfigured .htaccess files, addressed under “Security Misconfiguration” in the OWASP Top Ten, can lead to vulnerabilities such as unauthorized access, directory traversal, and information leakage. Issues like overly permissive rules, improper redirects, and weak authentication configurations compromise server and application security. Properly configuring .htaccess, introduced in the early 1990s with Apache Web Server, is essential to securing web resources.
https://en.wikipedia.org/wiki/.htaccess
A common issue with misconfigured .htaccess files is enabling directory listing. Without restrictions, attackers can view directory contents, exposing sensitive files like backups, credentials, or configuration files. OWASP recommends disabling directory indexing by including the directive `Options -Indexes` in the .htaccess file.
https://owasp.org/www-project-top-ten/
Another vulnerability arises from overly permissive rules allowing access to restricted directories or files. For example, forgetting to restrict access to sensitive directories like `/admin` or `/config` can lead to unauthorized access. OWASP advises defining explicit access rules with `Require all denied` for sensitive resources.
https://httpd.apache.org/docs/current/mod/mod_authz_core.html
Improper handling of redirects in .htaccess files is another critical flaw. Misconfigured redirects can expose sensitive URLs or facilitate open redirect attacks. OWASP recommends validating all redirect destinations and avoiding wildcard patterns that allow arbitrary URLs.
https://owasp.org/www-project-top-ten/
Weak authentication configurations in .htaccess files, such as using plaintext credentials or failing to enforce strong passwords, expose resources to brute force attacks. OWASP advises using hashed credentials with directives like `AuthType Basic` combined with strong password policies.
https://httpd.apache.org/docs/current/howto/auth.html
Improper CORS configurations in .htaccess files pose additional risks. For example, setting `Access-Control-Allow-Origin: *` allows all domains to access server resources, creating security vulnerabilities. OWASP recommends specifying trusted origins explicitly to secure cross-origin requests.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross-Origin_Request_Sharing_Cheat_Sheet.html
Failure to secure .htaccess files themselves is another oversight. Exposing the .htaccess file to public access allows attackers to view or modify server configurations. OWASP advises using directives like `Require all denied` to restrict access to the .htaccess file.
https://owasp.org/www-project-top-ten/
Another issue arises from improper error handling configurations in .htaccess files. Detailed error messages or stack traces exposed through misconfigured `ErrorDocument` directives provide attackers with insights into the application’s structure. OWASP recommends using generic error pages while logging details securely for debugging.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Error_Handling_Cheat_Sheet.html
Neglecting to enforce HTTPS redirection in .htaccess files is another vulnerability. Serving content over HTTP instead of HTTPS exposes data to man-in-the-middle attacks. OWASP advises including a directive like `RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]` to enforce secure connections.
https://owasp.org/www-project-top-ten/
Improper caching directives in .htaccess files can inadvertently cache sensitive data in client browsers or intermediary servers. OWASP recommends using headers like `Cache-Control: no-store` and `Pragma: no-cache` to prevent sensitive data caching.
https://owasp.org/www-project-top-ten/
To mitigate these risks, administrators should audit .htaccess files regularly, enforce secure directives, and test configurations with tools like OWASP ZAP or Nessus. Following OWASP Top Ten guidelines ensures secure and effective use of .htaccess files to protect web applications.