Security misconfiguration occurs when system administrators, database administrators, and developers leave security holes in the configuration of computer systems. An attacker can access default accounts, unused pages, unpatched flaws, and unprotected files and directories. Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Typical attacks involve finding information about the operating system type and version, libraries, tools, web server type, and web development language in order to exploit vulnerabilities. Organizations can prevent security misconfiguration by updating software, removing default credentials, disabling unused components, conducting security scans, and implementing secure configuration practices.

1. Security
Misconfiguration
Sorina-Georgiana CHIRILĂ - 2013

2. About
●
“ This happens when
the system admins ,
DBAs and developers
leave security holes in the
configuration of computer
systems. ”
A5
http://www.inteco.es
htts://www.inteco.es

3. Idea(1)
Attacker accesses :
●
●
●
●
default accounts,
unused pages,
unpatched flaws,
unprotected files and directories.
Security misconfiguration can happen at any
level on an application stack:
●
●
●
●
●
including the platform,
web & application server,
database,
framework,
custom code.

4. Idea(2)
http://www.slideshare.net/tabaradetestare

5. Example
●
Get information about server type or current web development language .

6. Typical attack approach
●
●
Find information related to : OS type and version, libraries, tools, Web server type ,web
development language,
And then

7. How to prevent ?
●
●
●
●
●
●
●
●
●
●
Remove/ change default credentials,
Keep up to date software,
Look for disabling unused components or services,
Take in consideration automated scanners(OpenVAS, WATOBO,WebScarab, https://asafaweb.
com/),
Setup a process for security updates,
Use minimal privileges everywhere,
Remove all unused pages and user accounts,
Create whitelist pages,
Update patches(small piece of software used to correct a problem with OS for example),
Review configuration default for : frameworks, db, web server ….

8. Case studies

9. Resources
●
●
●
●
●
●
●
●
●
●
●
●
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration,
http://www.slideshare.net/skoussa/simplified-security-code-review-process,
http://www.slideshare.net/tabaradetestare/security-testing-21078196,
http://eric-diehl.com/category/security/,
http://www.slideshare.net/owaspkhartoum/owasp-kartoum-top-10-a6-8th-meeting,
https://www.mavitunasecurity.com/blog/owasp-top-10-2013/,
http://www.slideshare.net/RapPayne/a6-security-misconfigurationpptx,
http://www.slideshare.net/carlo.bonamico/is-my-web-application-secure-owasp-top-ten-security-risks-and-beyond,
https://isc.sans.edu/presentations/SANSFIRE2012-Russ_McRee-OWASPTop10.pdf,
http://projects.webappsec.org/w/page/13246914/Application%20Misconfiguration,
http://cwe.mitre.org/data/definitions/933.html,
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration.

10. Thank You!