Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Security misconfiguration

Vladimir Polumirace-mail: v.polumirac@sbb.rsblog: d0is.wordpress.comFB: facebook.com/vpolumiracTwitter twitter.com/d0is

23/07/2012

OWASP 2

INTRODUCTION

New to the OWASP Top 10. Was there in 2004. On OWASP list in 2007. This happens when the system

administrators, DBAs and developers leave security holes in the configuration of computer systems. 

OWASP

Security misconfiguration can happen at any level of an application stack, including:

the platform, web server, application server, framework, and custom code

3

OWASP

WEB APPLICATION SECURITY

4

OWASP

How attackers do it

Collecting info about the targeted system's stack OS and version number Web server type (Apache, IIS, etc.) RDBMS (My SQL, SQL Server, Oracle, etc.) Web development language Tools/libraries used (Hibernate, etc.) Check their data sources for all known exploits

against any part of that stack. There are known vulnerabilities for each

level of the stack. Begin hacking away

5

OWASP

Example Scenarios

Scenario #1: Your application relies on a powerful

framework like Struts or Spring. XSS flaws are found in these

framework components you rely on. An update is released to fix these

flaws but you don’t update your libraries. Until you do, attackers can easily find

and exploit these flaws in your app.

6

OWASP

Example Scenarios

Scenario #2: The app server admin console is

automatically installed and not removed.

Default accounts aren’t changed. Attacker discovers the standard admin

pages are on your server, logs in with default passwords and takes over.

7

OWASP

How we protect our selves

Don't give away info about your stack  Change default user accounts Delete unused pages and user accounts Turn off unused services  Disable directory listings if they are not

necessary, or set access controls to deny all requests.  

Stay up-to date on patches  Consider internal attackers as well as

external.  Use automated scanners

8

OWASP

Change default accounts

When you install an OS or server tool ,it has a default root account with a default password. Examples:

Windows - "Administrator"&"Administrator“SQL Server - “ sa “ & no password  Oracle "MASTER"&"PASSWORD“Apache "root"&“ change this“ Make sure you change these passwords! Completely delete the accounts when

possible9

OWASP

Delete unused accounts

As soon as an employee or contractor leaves, change his password.

Change his username.  Move files and delete the account  Look for old client accounts and delete

them.

10

OWASP

Turn off unused services Look through all running services If they're not being used, turn them off Disable them upon system start up  Pay particular attention to: 

Services enabled upon install ― Remote debugging ― Content management Services turned on ad-hoc

― One-time use― "This is a temporary repair. We'll put a better solution in later.” 

In side IIS, too  Directory browsing  Ability to run scripts and executables

11

OWASP

White list pages

Serve only pages that are allowed.  Intercept requests for pages and disallow

any request for something other than...*.html*.jsp*.js*.cssetc.

12

OWASP

Update patches

Patch Tuesday is the most overlooked defense 

* Patch Tuesday is usually the second Tuesday of each month

Day-one vulnerabilities  Subscribe to vendors‘ alert lists http://www.microsoft.com/security/pc-security/default.aspx#Security-

Updates

RSS feed http://www.novell.com/company/rss/patches.html

13

OWASP

CONCLUSIONS

Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives.

Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions.

While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan.

14

OWASP

Resources

1. OWASP http://www.owasp.org/2. DB of known default accounts

http://www.cirt.net/passwords3. Web Protection Site Scanner

https://www.websiteprotection.com/4. Vulnerability scanning software

http://sectools.org/web-scanners.html

15

OWASP

Diskusija

16