OWASP Serbia - A6 security misconfiguration


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OWASP Serbia - A6 security misconfiguration

  1. 1. Security misconfiguration Vladimir Polumirac e-mail: v.polumirac@sbb.rs blog: d0is.wordpress.com FB: facebook.com/vpolumiracOWASP Twitter twitter.com/d0is23/07/2012 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  2. 2. INTRODUCTIONNew to the OWASP Top 10.Was there in 2004. On OWASP list in 2007.This happens when the system administrators, DBAs and developers leave security holes in the configuration of computer systems.  OWASP 2
  3. 3.  Security misconfiguration can happen at any level of an application stack, including: the platform, web server, application server, framework, and custom code OWASP 3
  5. 5. How attackers do it Collecting info about the targeted systems stack OS and version number Web server type (Apache, IIS, etc.) RDBMS (My SQL, SQL Server, Oracle, etc.) Web development language Tools/libraries used (Hibernate, etc.) Check their data sources for all known exploits against any part of that stack. There are known vulnerabilities for each level of the stack. Begin hacking away OWASP 5
  6. 6. Example ScenariosScenario #1: Your application relies on a powerful framework like Struts or Spring. XSS flaws are found in these framework components you rely on. An update is released to fix these flaws but you don’t update your libraries. Until you do, attackers can easily find and exploit these flaws in your app. OWASP 6
  7. 7. Example ScenariosScenario #2: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords and takes over. OWASP 7
  8. 8. How we protect our selvesDont give away info about your stack Change default user accountsDelete unused pages and user accountsTurn off unused services Disable directory listings if they are not necessary, or set access controls to deny all requests.  Stay up-to date on patches Consider internal attackers as well as external. Use automated scanners OWASP 8
  9. 9. Change default accountsWhen you install an OS or server tool ,it has a default root account with a default password. Examples: Windows - "Administrator"&"Administrator“ SQL Server - “ sa “ & no password  Oracle "MASTER"&"PASSWORD“ Apache "root"&“ change this“Make sure you change these passwords!Completely delete the accounts when possible OWASP 9
  10. 10. Delete unused accountsAs soon as an employee or contractor leaves, change his password.Change his username. Move files and delete the account Look for old client accounts and delete them. OWASP 10
  11. 11. Turn off unused services Look through all running services If theyre not being used, turn them off Disable them upon system start up  Pay particular attention to:  Services enabled upon install ― Remote debugging ― Content management Services turned on ad-hoc ― One-time use ― "This is a temporary repair. Well put a better solution in later.”   In side IIS, too   Directory browsing   Ability to run scripts and executables OWASP 11
  12. 12. White list pagesServe only pages that are allowed. Intercept requests for pages and disallow any request for something other than... *.html *.jsp *.js *.css etc. OWASP 12
  13. 13. Update patchesPatch Tuesday is the most overlooked defense  * Patch Tuesday is usually the second Tuesday of each monthDay-one vulnerabilities Subscribe to vendors‘ alert lists http://www.microsoft.com/security/pc-security/default.aspx#Security-UpdatesRSS feedhttp://www.novell.com/company/rss/patches.html OWASP 13
  14. 14. CONCLUSIONS Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives. Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan. OWASP 14
  15. 15. Resources1. OWASP http://www.owasp.org/2. DB of known default accounts http://www.cirt.net/passwords3. Web Protection Site Scanner https://www.websiteprotection.com/4. Vulnerability scanning software http://sectools.org/web-scanners.html OWASP 15
  16. 16. Diskusija OWASP 16