Ali Hussein                                      Ali.hussein@owasp.org                                                    ...
New to the OWASP Top 10.    Was there in 2004. On OWASP list in 2007.    System admins, DBAs and developers leave security...
Good security requires having a secure configuration      defined and deployed for the application, frameworks,      appli...
Threat         Attack                            Security Weakness                                              Technical ...
Security misconfiguration can happen at any level of      an application stack, including:      the platform      web se...
Copyright © The OWASP Foundation                     Permission is granted to copy, distribute and/or modify this document...
Collecting info about the targeted systems stack        OS and version number , Web server type (Apache, IIS, etc.)     ...
Scenario #1:   • Your application relies on a powerful framework like   Struts or Spring.   • XSS flaws are found in these...
Copyright © The OWASP Foundation                     Permission is granted to copy, distribute and/or modify this document...
Scenario #2:   • The app server admin console is automatically     installed and not removed.   • Default accounts aren’t ...
Copyright © The OWASP Foundation                     Permission is granted to copy, distribute and/or modify this document...
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx" />                                  ...
• Change default user accounts.   • Delete unused pages and user accounts.   • Turn off unused services     .   • Disable ...
When you install an OS or server tool ,it has a default     root account with a default password. Examples:        Window...
 As soon as an employee or contractor leaves, change his    password.   Change his username.    Move files and delete t...
Look through all running services, If theyre not being used,      turn them off.   Disable them upon system start up    Pa...
Serve only pages that are allowed.    Intercept requests for pages and disallow any request   for something other than... ...
Patch Tuesday is the most overlooked defense    Day-one vulnerabilities    Subscribe to vendors‘ alert lists    http://www...
Copyright © The OWASP Foundation                     Permission is granted to copy, distribute and/or modify this document...
Safeguarding your website from malicious users and    attacks is important, regardless of what type of site    you have or...
OWASP Development Guide: Chapter on Configuration     OWASP Code Review Guide: Chapter on Error Handling     OWASP Testing...
Copyright © The OWASP Foundation                     Permission is granted to copy, distribute and/or modify this document...
Upcoming SlideShare
Loading in …5
×

OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration

1,383 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,383
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
55
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration

  1. 1. Ali Hussein Ali.hussein@owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum
  2. 2. New to the OWASP Top 10. Was there in 2004. On OWASP list in 2007. System admins, DBAs and developers leave security holes in the configuration of computer systems. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 2
  3. 3. Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 3
  4. 4. Threat Attack Security Weakness Technical Business Agents Vectors Impacts Impact Exploitability EASY Prevalence Detectability Impact COMMON EASY MODERATE Consider Attacker Security misconfiguration can Such flaws The system anonymous accesses happen at any level of an frequently give could be external default application stack, including attackers completely attackers as accounts, the platform, web server, unauthorized compromised well as users unused pages, application server, framework, access to without you with their own unpatched and custom code. Developers some system knowing it. All accounts that flaws, and network administrators data or your data may attempt unprotected need to work together to functionality. could be stolen to compromise files and ensure that the entire stack is Occasionally, or modified the system. directories, configured properly. such flaws slowly over Also consider etc. to gain Automated scanners are result in a time. insiders unauthorized useful for detecting missing complete wanting to access to or patches, misconfigurations, system Recovery costs disguise their knowledge of use of default accounts, compromise. could be actions. the system. unnecessary services, etc. expensive Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 4
  5. 5. Security misconfiguration can happen at any level of an application stack, including: the platform web server application server framework and custom code Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 5
  6. 6. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 6
  7. 7. Collecting info about the targeted systems stack  OS and version number , Web server type (Apache, IIS, etc.)  Web development language. Check their data sources for all known exploits against any part of that stack.  There are known vulnerabilities for each level of the stack. Begin hacking away. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 7
  8. 8. Scenario #1: • Your application relies on a powerful framework like Struts or Spring. • XSS flaws are found in these framework components you rely on. • An update is released to fix these flaws but you don’t update your libraries. • Until you do, attackers can easily find and exploit these flaws in your app. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 8
  9. 9. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 9
  10. 10. Scenario #2: • The app server admin console is automatically installed and not removed. • Default accounts aren’t changed. • Attacker discovers the standard admin pages are on your server, logs in with default passwords and takes over. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 10
  11. 11. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 11
  12. 12. <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx" /> Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 12
  13. 13. • Change default user accounts. • Delete unused pages and user accounts. • Turn off unused services  . • Disable directory listings if they are not necessary, or set access controls to deny all requests.   • Stay up-to date on patches. • Consider internal attackers as well as external.  • Use automated scanners. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 13
  14. 14. When you install an OS or server tool ,it has a default root account with a default password. Examples:  Windows - "Administrator"&"Administrator“  SQL Server - “ sa “ & no password   Oracle "MASTER"&"PASSWORD“  Apache "root"&“ change this“ Make sure you change these passwords! Completely delete the accounts when possible Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 14
  15. 15.  As soon as an employee or contractor leaves, change his password.  Change his username.   Move files and delete the account   Look for old client accounts and delete them. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 15
  16. 16. Look through all running services, If theyre not being used, turn them off. Disable them upon system start up  Pay particular attention to:  Services enabled upon install ―  Remote debugging ―  Remote registry ―  Content management In side IIS, too  -- Directory browsing  -- Ability to run scripts and executables Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 16
  17. 17. Serve only pages that are allowed.  Intercept requests for pages and disallow any request for something other than... *.html *.jsp *.js *.css etc. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 17
  18. 18. Patch Tuesday is the most overlooked defense  Day-one vulnerabilities  Subscribe to vendors‘ alert lists  http://www.microsoft.com/security/pc-security/default.aspx#Security-Updates RSS feed http://www.novell.com/company/rss/patches.html Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 18
  19. 19. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 19
  20. 20. Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives. Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 20
  21. 21. OWASP Development Guide: Chapter on Configuration OWASP Code Review Guide: Chapter on Error Handling OWASP Testing Guide: Configuration Management OWASP Testing Guide: Testing for Error Codes OWASP Top 102004 – Insecure Configuration Management CIS Security Configuration Guides/Benchmarks http://www.spiralsecurity.com/blog/?p=190 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum 21
  22. 22. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.owasp.org/index.php/Khartoum

×