OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration

Ali Hussein
Ali.hussein@owasp.org

Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

owasp.org/index.php/Khartoum

New to the OWASP Top 10.

Was there in 2004. On OWASP list in 2007.

System admins, DBAs and developers leave security
holes in the configuration of computer systems.


owasp.org/index.php/Khartoum 2

Good security requires having a secure configuration
defined and deployed for the application, frameworks,
application server, web server, database server, and
platform. All these settings should be defined,
implemented, and maintained as many are not shipped
with secure defaults. This includes keeping all software
up to date, including all code libraries used by the
application.



Threat Attack Security Weakness Technical Business
Agents Vectors Impacts Impact
Exploitability
EASY Prevalence Detectability Impact
COMMON EASY MODERATE
Consider Attacker Security misconfiguration can Such flaws The system
anonymous accesses happen at any level of an frequently give could be
external default application stack, including attackers completely
attackers as accounts, the platform, web server, unauthorized compromised
well as users unused pages, application server, framework, access to without you
with their own unpatched and custom code. Developers some system knowing it. All
accounts that flaws, and network administrators data or your data
may attempt unprotected need to work together to functionality. could be stolen
to compromise files and ensure that the entire stack is Occasionally, or modified
the system. directories, configured properly. such flaws slowly over
Also consider etc. to gain Automated scanners are result in a time.
insiders unauthorized useful for detecting missing complete
wanting to access to or patches, misconfigurations, system Recovery costs
disguise their knowledge of use of default accounts, compromise. could be
actions. the system. unnecessary services, etc. expensive


Security misconfiguration can happen at any level of
an application stack, including:

the platform
web server
application server
framework
and custom code



Collecting info about the targeted system's stack
 OS and version number , Web server type (Apache, IIS, etc.)
 Web development language.

Check their data sources for all known exploits against any
part of that stack.
 There are known vulnerabilities for each level of the stack.

Begin hacking away.



Scenario #1:

• Your application relies on a powerful framework like
Struts or Spring.
• XSS flaws are found in these framework components
you rely on.
• An update is released to fix these flaws but you don’t
update your libraries.
• Until you do, attackers can easily find and exploit these
flaws in your app.



Scenario #2:
• The app server admin console is automatically
installed and not removed.
• Default accounts aren’t changed.
• Attacker discovers the standard admin pages are on
your server, logs in with default passwords and takes
over.



• Change default user accounts.
• Delete unused pages and user accounts.
• Turn off unused services  .
• Disable directory listings if they are not necessary, or set
access controls to deny all requests.  
• Stay up-to date on patches.
• Consider internal attackers as well as external. 
• Use automated scanners.



When you install an OS or server tool ,it has a default
root account with a default password. Examples:

 Windows - "Administrator"&"Administrator“
 SQL Server - “ sa “ & no password 
 Oracle "MASTER"&"PASSWORD“
 Apache "root"&“ change this“

Make sure you change these passwords!
Completely delete the accounts when possible



 As soon as an employee or contractor leaves, change his
password.
 Change his username. 
 Move files and delete the account 
 Look for old client accounts and delete them.



Look through all running services, If they're not being used,
turn them off.
Disable them upon system start up 
Pay particular attention to: 
Services enabled upon install
―  Remote debugging
―  Remote registry
―  Content management
In side IIS, too 
-- Directory browsing 
-- Ability to run scripts and executables



Serve only pages that are allowed. 
Intercept requests for pages and disallow any request
for something other than...
*.html
*.jsp
*.js
*.css
etc.



Patch Tuesday is the most overlooked defense 
Day-one vulnerabilities 

Subscribe to vendors‘ alert lists 
http://www.microsoft.com/security/pc-security/default.aspx#Security-Updates

RSS feed
http://www.novell.com/company/rss/patches.html



Safeguarding your website from malicious users and
attacks is important, regardless of what type of site
you have or how many visitors your site receives.
Security misconfiguration or poorly configured security
controls, could allow malicious users to change your
website, obtain unauthorized access, compromise
files, or perform other unintended actions.
While there is no one-size-fits-all security configuration,
you can use these points to develop a plan that works
for your situation, I hope that this presentation help
you to create such a plan.


OWASP Development Guide: Chapter on Configuration

OWASP Code Review Guide: Chapter on Error Handling

OWASP Testing Guide: Configuration Management OWASP

Testing Guide: Testing for Error Codes OWASP Top 102004 – Insecure
Configuration Management

CIS Security Configuration Guides/Benchmarks

http://www.spiralsecurity.com/blog/?p=190




owasp.org/index.php/Khartoum

OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration

Similar to OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration (20)

More from OWASP Khartoum

More from OWASP Khartoum (8)

OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration