Upload
nikola-milosevic
View
1.892
Download
3
Tags:
Embed Size (px)
Citation preview
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Security misconfiguration
Vladimir Polumirace-mail: [email protected]: d0is.wordpress.comFB: facebook.com/vpolumiracTwitter twitter.com/d0is
23/07/2012
OWASP 2
INTRODUCTION
New to the OWASP Top 10. Was there in 2004. On OWASP list in 2007. This happens when the system
administrators, DBAs and developers leave security holes in the configuration of computer systems.
OWASP
Security misconfiguration can happen at any level of an application stack, including:
the platform, web server, application server, framework, and custom code
3
OWASP
WEB APPLICATION SECURITY
4
OWASP
How attackers do it
Collecting info about the targeted system's stack OS and version number Web server type (Apache, IIS, etc.) RDBMS (My SQL, SQL Server, Oracle, etc.) Web development language Tools/libraries used (Hibernate, etc.) Check their data sources for all known exploits
against any part of that stack. There are known vulnerabilities for each
level of the stack. Begin hacking away
5
OWASP
Example Scenarios
Scenario #1: Your application relies on a powerful
framework like Struts or Spring. XSS flaws are found in these
framework components you rely on. An update is released to fix these
flaws but you don’t update your libraries. Until you do, attackers can easily find
and exploit these flaws in your app.
6
OWASP
Example Scenarios
Scenario #2: The app server admin console is
automatically installed and not removed.
Default accounts aren’t changed. Attacker discovers the standard admin
pages are on your server, logs in with default passwords and takes over.
7
OWASP
How we protect our selves
Don't give away info about your stack Change default user accounts Delete unused pages and user accounts Turn off unused services Disable directory listings if they are not
necessary, or set access controls to deny all requests.
Stay up-to date on patches Consider internal attackers as well as
external. Use automated scanners
8
OWASP
Change default accounts
When you install an OS or server tool ,it has a default root account with a default password. Examples:
Windows - "Administrator"&"Administrator“SQL Server - “ sa “ & no password Oracle "MASTER"&"PASSWORD“Apache "root"&“ change this“ Make sure you change these passwords! Completely delete the accounts when
possible9
OWASP
Delete unused accounts
As soon as an employee or contractor leaves, change his password.
Change his username. Move files and delete the account Look for old client accounts and delete
them.
10
OWASP
Turn off unused services Look through all running services If they're not being used, turn them off Disable them upon system start up Pay particular attention to:
Services enabled upon install ― Remote debugging ― Content management Services turned on ad-hoc
― One-time use― "This is a temporary repair. We'll put a better solution in later.”
In side IIS, too Directory browsing Ability to run scripts and executables
11
OWASP
White list pages
Serve only pages that are allowed. Intercept requests for pages and disallow
any request for something other than...*.html*.jsp*.js*.cssetc.
12
OWASP
Update patches
Patch Tuesday is the most overlooked defense
* Patch Tuesday is usually the second Tuesday of each month
Day-one vulnerabilities Subscribe to vendors‘ alert lists http://www.microsoft.com/security/pc-security/default.aspx#Security-
Updates
RSS feed http://www.novell.com/company/rss/patches.html
13
OWASP
CONCLUSIONS
Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives.
Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions.
While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan.
14
OWASP
Resources
1. OWASP http://www.owasp.org/2. DB of known default accounts
http://www.cirt.net/passwords3. Web Protection Site Scanner
https://www.websiteprotection.com/4. Vulnerability scanning software
http://sectools.org/web-scanners.html
15
OWASP
Diskusija
16