Your SlideShare is downloading. ×
0
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP Serbia - A6 security misconfiguration

1,933

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,933
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
59
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security misconfiguration Vladimir Polumirac e-mail: v.polumirac@sbb.rs blog: d0is.wordpress.com FB: facebook.com/vpolumiracOWASP Twitter twitter.com/d0is23/07/2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. INTRODUCTIONNew to the OWASP Top 10.Was there in 2004. On OWASP list in 2007.This happens when the system administrators, DBAs and developers leave security holes in the configuration of computer systems.  OWASP 2
  • 3.  Security misconfiguration can happen at any level of an application stack, including: the platform, web server, application server, framework, and custom code OWASP 3
  • 4. WEB APPLICATION SECURITY OWASP 4
  • 5. How attackers do it Collecting info about the targeted systems stack OS and version number Web server type (Apache, IIS, etc.) RDBMS (My SQL, SQL Server, Oracle, etc.) Web development language Tools/libraries used (Hibernate, etc.) Check their data sources for all known exploits against any part of that stack. There are known vulnerabilities for each level of the stack. Begin hacking away OWASP 5
  • 6. Example ScenariosScenario #1: Your application relies on a powerful framework like Struts or Spring. XSS flaws are found in these framework components you rely on. An update is released to fix these flaws but you don’t update your libraries. Until you do, attackers can easily find and exploit these flaws in your app. OWASP 6
  • 7. Example ScenariosScenario #2: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords and takes over. OWASP 7
  • 8. How we protect our selvesDont give away info about your stack Change default user accountsDelete unused pages and user accountsTurn off unused services Disable directory listings if they are not necessary, or set access controls to deny all requests.  Stay up-to date on patches Consider internal attackers as well as external. Use automated scanners OWASP 8
  • 9. Change default accountsWhen you install an OS or server tool ,it has a default root account with a default password. Examples: Windows - "Administrator"&"Administrator“ SQL Server - “ sa “ & no password  Oracle "MASTER"&"PASSWORD“ Apache "root"&“ change this“Make sure you change these passwords!Completely delete the accounts when possible OWASP 9
  • 10. Delete unused accountsAs soon as an employee or contractor leaves, change his password.Change his username. Move files and delete the account Look for old client accounts and delete them. OWASP 10
  • 11. Turn off unused services Look through all running services If theyre not being used, turn them off Disable them upon system start up  Pay particular attention to:  Services enabled upon install ― Remote debugging ― Content management Services turned on ad-hoc ― One-time use ― "This is a temporary repair. Well put a better solution in later.”   In side IIS, too   Directory browsing   Ability to run scripts and executables OWASP 11
  • 12. White list pagesServe only pages that are allowed. Intercept requests for pages and disallow any request for something other than... *.html *.jsp *.js *.css etc. OWASP 12
  • 13. Update patchesPatch Tuesday is the most overlooked defense  * Patch Tuesday is usually the second Tuesday of each monthDay-one vulnerabilities Subscribe to vendors‘ alert lists http://www.microsoft.com/security/pc-security/default.aspx#Security-UpdatesRSS feedhttp://www.novell.com/company/rss/patches.html OWASP 13
  • 14. CONCLUSIONS Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives. Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan. OWASP 14
  • 15. Resources1. OWASP http://www.owasp.org/2. DB of known default accounts http://www.cirt.net/passwords3. Web Protection Site Scanner https://www.websiteprotection.com/4. Vulnerability scanning software http://sectools.org/web-scanners.html OWASP 15
  • 16. Diskusija OWASP 16

×