owasp serbia - a6 security misconfiguration
TRANSCRIPT
![Page 1: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Security misconfiguration
Vladimir Polumirace-mail: [email protected]: d0is.wordpress.comFB: facebook.com/vpolumiracTwitter twitter.com/d0is
23/07/2012
![Page 2: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/2.jpg)
OWASP 2
INTRODUCTION
New to the OWASP Top 10. Was there in 2004. On OWASP list in 2007. This happens when the system
administrators, DBAs and developers leave security holes in the configuration of computer systems.
![Page 3: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/3.jpg)
OWASP
Security misconfiguration can happen at any level of an application stack, including:
the platform, web server, application server, framework, and custom code
3
![Page 4: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/4.jpg)
OWASP
WEB APPLICATION SECURITY
4
![Page 5: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/5.jpg)
OWASP
How attackers do it
Collecting info about the targeted system's stack OS and version number Web server type (Apache, IIS, etc.) RDBMS (My SQL, SQL Server, Oracle, etc.) Web development language Tools/libraries used (Hibernate, etc.) Check their data sources for all known exploits
against any part of that stack. There are known vulnerabilities for each
level of the stack. Begin hacking away
5
![Page 6: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/6.jpg)
OWASP
Example Scenarios
Scenario #1: Your application relies on a powerful
framework like Struts or Spring. XSS flaws are found in these
framework components you rely on. An update is released to fix these
flaws but you don’t update your libraries. Until you do, attackers can easily find
and exploit these flaws in your app.
6
![Page 7: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/7.jpg)
OWASP
Example Scenarios
Scenario #2: The app server admin console is
automatically installed and not removed.
Default accounts aren’t changed. Attacker discovers the standard admin
pages are on your server, logs in with default passwords and takes over.
7
![Page 8: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/8.jpg)
OWASP
How we protect our selves
Don't give away info about your stack Change default user accounts Delete unused pages and user accounts Turn off unused services Disable directory listings if they are not
necessary, or set access controls to deny all requests.
Stay up-to date on patches Consider internal attackers as well as
external. Use automated scanners
8
![Page 9: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/9.jpg)
OWASP
Change default accounts
When you install an OS or server tool ,it has a default root account with a default password. Examples:
Windows - "Administrator"&"Administrator“SQL Server - “ sa “ & no password Oracle "MASTER"&"PASSWORD“Apache "root"&“ change this“ Make sure you change these passwords! Completely delete the accounts when
possible9
![Page 10: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/10.jpg)
OWASP
Delete unused accounts
As soon as an employee or contractor leaves, change his password.
Change his username. Move files and delete the account Look for old client accounts and delete
them.
10
![Page 11: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/11.jpg)
OWASP
Turn off unused services Look through all running services If they're not being used, turn them off Disable them upon system start up Pay particular attention to:
Services enabled upon install ― Remote debugging ― Content management Services turned on ad-hoc
― One-time use― "This is a temporary repair. We'll put a better solution in later.”
In side IIS, too Directory browsing Ability to run scripts and executables
11
![Page 12: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/12.jpg)
OWASP
White list pages
Serve only pages that are allowed. Intercept requests for pages and disallow
any request for something other than...*.html*.jsp*.js*.cssetc.
12
![Page 13: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/13.jpg)
OWASP
Update patches
Patch Tuesday is the most overlooked defense
* Patch Tuesday is usually the second Tuesday of each month
Day-one vulnerabilities Subscribe to vendors‘ alert lists http://www.microsoft.com/security/pc-security/default.aspx#Security-
Updates
RSS feed http://www.novell.com/company/rss/patches.html
13
![Page 14: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/14.jpg)
OWASP
CONCLUSIONS
Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives.
Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions.
While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan.
14
![Page 15: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/15.jpg)
OWASP
Resources
1. OWASP http://www.owasp.org/2. DB of known default accounts
http://www.cirt.net/passwords3. Web Protection Site Scanner
https://www.websiteprotection.com/4. Vulnerability scanning software
http://sectools.org/web-scanners.html
15
![Page 16: OWASP Serbia - A6 security misconfiguration](https://reader033.vdocuments.site/reader033/viewer/2022052410/554fb2d1b4c90586258b5266/html5/thumbnails/16.jpg)
OWASP
Diskusija
16