MS
Uploaded byMegha Sahu
PPTX, PDF2,168 views

security misconfigurations

The document discusses security misconfiguration as the sixth most dangerous web application vulnerability according to the OWASP Top 10. It defines security misconfiguration as improper configuration settings that can enable attacks. The document outlines how attackers exploit default passwords and privileges, and provides examples of misconfigured systems. It recommends ways to prevent misconfiguration like changing defaults, deleting unnecessary accounts, and keeping systems updated. The document demonstrates how to detect hidden URLs and directory listings using Burp Suite and concludes that misconfiguration poses a high risk if not properly safeguarded against.

Embed presentation

Downloaded 36 times
Security Misconfiguration By Megha Sahu
About me • Chapter Lead at Null Bhopal. • Pursuing BE in 4th year from UIT-RGPV. • Cyber Security Enthusiast. • Current Studying Machine Leaning. • Twitter handle @meghasahu24 • Null profile megha-sahu
Overview 1. What is OWASP Top 10 2. List of OWASP top 10[2017] 3. Introduction to Security Misconfiguration 4. Typical Attack approach 5. How we protect our selves? 6. Demo 1. Hidden URL 2. Directory Listing 7. Conclusion
What is OWASP top 10 • OWASP stand for Open Web Application Security Project. • OWASP Top 10 is a powerful awareness document for web application security. • The materials they offer include documentation, tools, videos, and forums are freely available and easily accessible on their website. • It is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
. • A1:-Injection • A2:-Broken Authentication • A3:-Sensitive Data Exposure • A4:-XML External Entities (XXE) • A5:-Broken Access Control • A6:-Security Misconfiguration • A7:-Cross-Site Scripting (XSS) • A8:-Insecure Deserialization • A9:-Using Components with Known Vulnerabilities • A10:-Insufficient Logging & Monitoring
Introduction to Security Misconfiguration • Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. • This happens when the system administrators, DBAs or developers leave security holes in the configuration. • Good security required proper configuration of systems.
. Security misconfiguration can happen at any level of an application stack, including: • The Platform • Web Server • Application Server • Framework • Custom Code Developers and system administrators need to work together to ensure that the entire stack is configured properly.
Typical attack approach • Find information related to :  OS type and version Libraries Tools Web server type web development language And then
• When you install an OS or server tool ,it has a default root account with a default password. • Examples: Windows - "Administrator“ & "Administrator“ SQL Server - “ sa “ & no password Oracle "MASTER“ & "PASSWORD“ Apache "root“ & “ change this“ Make sure you change these passwords! Completely delete the accounts when possible
How we protect our selves? Do not use default credentials. Delete unused pages and user accounts. Restrict roles and privileges. Stay up-to date on patches. Turn off unused services. Scans and audits(a popular open source tool for Linux is Security Onion) Restrict default configuration options. Strong encryption. Consider internal attackers as well as external. Disable directory listings.
Burp Suite
Example 1: • AIM : To find the hidden URL in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
Example 2 : • AIM : To find the Directory listing in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
Conclusion • Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. • Risk: The prevalence of web application misconfiguration is very high in IT industry. • Priority: Safeguarding web application from malicious users and attacks.
References • https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Pro ject • https://support.portswigger.net/customer/portal/articles/1965728-using- burp-to-test-for-security-misconfiguration-issues • https://www.youtube.com/watch?v=vheGnopQm6s&t=514s • https://www.cloudflare.com/learning/security/threats/owasp-top-10/ • https://resources.infosecinstitute.com/2017-owasp-a6-update-security- misconfiguration/#gref • https://bounty.github.com/classifications/security-misconfiguration.html • https://www.youtube.com/watch?v=ouuXu9_UM0w
security misconfigurations
security misconfigurations

More Related Content

PPTX
A5: Security Misconfiguration
byTariq Islam
 
PPTX
The OWASP Zed Attack Proxy
byAditya Gupta
 
PPTX
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PDF
Owasp top 10
byYasserElsnbary
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PDF
Broken access controls
byAkansha Kesharwani
 
A5: Security Misconfiguration
byTariq Islam
 
The OWASP Zed Attack Proxy
byAditya Gupta
 
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Owasp top 10
byYasserElsnbary
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Broken access controls
byAkansha Kesharwani
 

What's hot

PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPT
OWASP Serbia - A6 security misconfiguration
byNikola Milosevic
 
PPTX
Security misconfiguration
byMicho Hayek
 
PPTX
VAPT PRESENTATION full.pptx
byDARSHANBHAVSAR14
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PPT
Introduction To OWASP
byMarco Morana
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PDF
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PPTX
Security misconfiguration
byJiri Danihelka
 
PPT
Intro to Web Application Security
byRob Ragan
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
OWASP Top 10 2021 What's New
byMichael Furman
 
OWASP Serbia - A6 security misconfiguration
byNikola Milosevic
 
Security misconfiguration
byMicho Hayek
 
VAPT PRESENTATION full.pptx
byDARSHANBHAVSAR14
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
Introduction To OWASP
byMarco Morana
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
API Security Fundamentals
byJosé Haro Peralta
 
OWASP API Security Top 10 - API World
by42Crunch
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Security misconfiguration
byJiri Danihelka
 
Intro to Web Application Security
byRob Ragan
 
Web Application Penetration Testing
byPriyanka Aash
 
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 

Similar to security misconfigurations

PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
Owasp
bypenetration Tester
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PDF
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
PDF
OWASP (Open Web Application Security Project) .pdf
bykavsinghta
 
PPT
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
PDF
Ofer Maor - OWASP Top 10
byCSAIsrael
 
PDF
Web Security
byGerald Villorente
 
PPTX
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
DOCX
supraja technologies material for secure coding
bySri Latha
 
PPTX
Security Misconfiguration.pptx
byKalyani Raut
 
PDF
Web Security
byKHOANGUYNNGANH
 
PDF
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
byOWASP Russia
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PDF
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
PPTX
Web Security Overview
byNoah Jaehnert
 
PDF
Owasp london training course 2010 - Matteo Meucci
byMatteo Meucci
 
PDF
Security Awareness
byLucas Hendrich
 
PPTX
Web App Security
byDeepak Chandani
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Owasp
bypenetration Tester
 
Secure coding guidelines
byZakaria SMAHI
 
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
OWASP (Open Web Application Security Project) .pdf
bykavsinghta
 
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
Ofer Maor - OWASP Top 10
byCSAIsrael
 
Web Security
byGerald Villorente
 
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
supraja technologies material for secure coding
bySri Latha
 
Security Misconfiguration.pptx
byKalyani Raut
 
Web Security
byKHOANGUYNNGANH
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
byOWASP Russia
 
Owasp top 10 2017
byibrahimumer2
 
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
Web Security Overview
byNoah Jaehnert
 
Owasp london training course 2010 - Matteo Meucci
byMatteo Meucci
 
Security Awareness
byLucas Hendrich
 
Web App Security
byDeepak Chandani
 

More from Megha Sahu

PDF
Nessus Software
byMegha Sahu
 
PPTX
Splunk
byMegha Sahu
 
PPTX
Encase Forensic
byMegha Sahu
 
PPTX
Nmap
byMegha Sahu
 
PPTX
Justcloud
byMegha Sahu
 
PPTX
Aws
byMegha Sahu
 
PPTX
single sign-on
byMegha Sahu
 
PPTX
News Bytes
byMegha Sahu
 
DOCX
Passport Automation System
byMegha Sahu
 
PPTX
Onelogin
byMegha Sahu
 
DOCX
AWS virtual private clould
byMegha Sahu
 
DOCX
Case-Study Flipkart
byMegha Sahu
 
PPTX
Environmental Science
byMegha Sahu
 
DOCX
Startup Theory
byMegha Sahu
 
PPTX
LISTENING SKILLS
byMegha Sahu
 
PPTX
kubernates and micro-services
byMegha Sahu
 
PPTX
presentation
byMegha Sahu
 
Nessus Software
byMegha Sahu
 
Splunk
byMegha Sahu
 
Encase Forensic
byMegha Sahu
 
Nmap
byMegha Sahu
 
Justcloud
byMegha Sahu
 
Aws
byMegha Sahu
 
single sign-on
byMegha Sahu
 
News Bytes
byMegha Sahu
 
Passport Automation System
byMegha Sahu
 
Onelogin
byMegha Sahu
 
AWS virtual private clould
byMegha Sahu
 
Case-Study Flipkart
byMegha Sahu
 
Environmental Science
byMegha Sahu
 
Startup Theory
byMegha Sahu
 
LISTENING SKILLS
byMegha Sahu
 
kubernates and micro-services
byMegha Sahu
 
presentation
byMegha Sahu
 

Recently uploaded

PDF
222109_MD_MILTON_HOSSAIN_26TH_BATCH_REGULAR_PMIT V5.pdf
byMILTONKHAN5
 
PDF
Stern-Gerlach-Experiment from quantum mechanics
byjhapratik970
 
PDF
PRIZ Academy - Thinking The Skill Everyone Forgot
byPRIZ Guru
 
PPTX
Washing-Machine-Simulation-using-PICSimLab.pptx
byhelppolytechnic24
 
PPTX
introduction-to-maintenance- Dr. Munthear Alqaderi
byDr. Munthear Alqaderi
 
PPTX
Computer engineering for collage studen. pptx
byestradageric
 
PPTX
AI at the Crossroads_ Transforming the Future of Green Technology.pptx
bygreentechnexus2024
 
PDF
Advancements in Telecommunication for Disaster Management (www.kiu.ac.ug)
bypublication11
 
PDF
Soil Permeability and Seepage-Irrigation Structures
byMedoAbdelrahman
 
PDF
Why Buildings Crumble Before Their Time And How We Can Build a Legacy
byinfoplanetcon
 
PDF
Best Marketplaces to Buy Snapchat Accounts in 2025.pdf
byys3ik6l8c3ftbz
 
PDF
@Regenerative braking system of DC motor
bysangamkumar993613
 
PDF
ANPARA THERMAL POWER STATION[1] sangam.pdf
bysangamkumar993613
 
PPTX
Supercapacitor.pptx...............................
byTarikBouchala
 
PPTX
Lead-acid battery.pptx.........................
byTarikBouchala
 
PPT
399-Cathodic-Protection-Presentation.ppt
byMekine
 
PPTX
Principles of Energy Efficiency_ Doing More with Less
bygreentechnexus2024
 
PPTX
2-Photoelectric effect, phenomena and its related concept.pptx
byadhidwih
 
PPTX
clustering type :hierarchical clustering.pptx
bydeepalishinkar1
 
PPTX
TRANSPORTATION ENGINEERING Unit-5.2.pptx
byMood Naik
 
222109_MD_MILTON_HOSSAIN_26TH_BATCH_REGULAR_PMIT V5.pdf
byMILTONKHAN5
 
Stern-Gerlach-Experiment from quantum mechanics
byjhapratik970
 
PRIZ Academy - Thinking The Skill Everyone Forgot
byPRIZ Guru
 
Washing-Machine-Simulation-using-PICSimLab.pptx
byhelppolytechnic24
 
introduction-to-maintenance- Dr. Munthear Alqaderi
byDr. Munthear Alqaderi
 
Computer engineering for collage studen. pptx
byestradageric
 
AI at the Crossroads_ Transforming the Future of Green Technology.pptx
bygreentechnexus2024
 
Advancements in Telecommunication for Disaster Management (www.kiu.ac.ug)
bypublication11
 
Soil Permeability and Seepage-Irrigation Structures
byMedoAbdelrahman
 
Why Buildings Crumble Before Their Time And How We Can Build a Legacy
byinfoplanetcon
 
Best Marketplaces to Buy Snapchat Accounts in 2025.pdf
byys3ik6l8c3ftbz
 
@Regenerative braking system of DC motor
bysangamkumar993613
 
ANPARA THERMAL POWER STATION[1] sangam.pdf
bysangamkumar993613
 
Supercapacitor.pptx...............................
byTarikBouchala
 
Lead-acid battery.pptx.........................
byTarikBouchala
 
399-Cathodic-Protection-Presentation.ppt
byMekine
 
Principles of Energy Efficiency_ Doing More with Less
bygreentechnexus2024
 
2-Photoelectric effect, phenomena and its related concept.pptx
byadhidwih
 
clustering type :hierarchical clustering.pptx
bydeepalishinkar1
 
TRANSPORTATION ENGINEERING Unit-5.2.pptx
byMood Naik
 

security misconfigurations

  • 1.
  • 2.
    About me • ChapterLead at Null Bhopal. • Pursuing BE in 4th year from UIT-RGPV. • Cyber Security Enthusiast. • Current Studying Machine Leaning. • Twitter handle @meghasahu24 • Null profile megha-sahu
  • 3.
    Overview 1. What isOWASP Top 10 2. List of OWASP top 10[2017] 3. Introduction to Security Misconfiguration 4. Typical Attack approach 5. How we protect our selves? 6. Demo 1. Hidden URL 2. Directory Listing 7. Conclusion
  • 4.
    What is OWASPtop 10 • OWASP stand for Open Web Application Security Project. • OWASP Top 10 is a powerful awareness document for web application security. • The materials they offer include documentation, tools, videos, and forums are freely available and easily accessible on their website. • It is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
  • 5.
    . • A1:-Injection • A2:-BrokenAuthentication • A3:-Sensitive Data Exposure • A4:-XML External Entities (XXE) • A5:-Broken Access Control • A6:-Security Misconfiguration • A7:-Cross-Site Scripting (XSS) • A8:-Insecure Deserialization • A9:-Using Components with Known Vulnerabilities • A10:-Insufficient Logging & Monitoring
  • 6.
    Introduction to SecurityMisconfiguration • Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. • This happens when the system administrators, DBAs or developers leave security holes in the configuration. • Good security required proper configuration of systems.
  • 7.
    . Security misconfiguration canhappen at any level of an application stack, including: • The Platform • Web Server • Application Server • Framework • Custom Code Developers and system administrators need to work together to ensure that the entire stack is configured properly.
  • 8.
    Typical attack approach •Find information related to :  OS type and version Libraries Tools Web server type web development language And then
  • 9.
    • When youinstall an OS or server tool ,it has a default root account with a default password. • Examples: Windows - "Administrator“ & "Administrator“ SQL Server - “ sa “ & no password Oracle "MASTER“ & "PASSWORD“ Apache "root“ & “ change this“ Make sure you change these passwords! Completely delete the accounts when possible
  • 10.
    How we protectour selves? Do not use default credentials. Delete unused pages and user accounts. Restrict roles and privileges. Stay up-to date on patches. Turn off unused services. Scans and audits(a popular open source tool for Linux is Security Onion) Restrict default configuration options. Strong encryption. Consider internal attackers as well as external. Disable directory listings.
  • 12.
  • 13.
    Example 1: • AIM: To find the hidden URL in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
  • 14.
    Example 2 : •AIM : To find the Directory listing in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
  • 15.
    Conclusion • Security misconfigurationor poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. • Risk: The prevalence of web application misconfiguration is very high in IT industry. • Priority: Safeguarding web application from malicious users and attacks.
  • 16.
    References • https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Pro ject • https://support.portswigger.net/customer/portal/articles/1965728-using- burp-to-test-for-security-misconfiguration-issues •https://www.youtube.com/watch?v=vheGnopQm6s&t=514s • https://www.cloudflare.com/learning/security/threats/owasp-top-10/ • https://resources.infosecinstitute.com/2017-owasp-a6-update-security- misconfiguration/#gref • https://bounty.github.com/classifications/security-misconfiguration.html • https://www.youtube.com/watch?v=ouuXu9_UM0w