OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
-
Upload
owaspkhartoum -
Category
Documents
-
view
860 -
download
0
description
Transcript of OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Security misconfigurationTOP 10#A6
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m 2
New to the OWASP Top 10.
Was there in 2004. On OWASP list in 2007.
System admins, DBAs and developers leave security holes in the configuration of computer systems.
Introduction
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m 3
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
Definition
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Threat
AgentsAttack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability EASY Prevalence
COMMONDetectability
EASY
Impact MODERATE
Consider anonymous external attackers as well as users with their own accounts that may attempt to compromise the system. Also consider insiders wanting to disguise their actions.
Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.
The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time.
Recovery costs could be expensive
4
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Security misconfiguration can happen at any level of an application stack, including:
the platformweb serverapplication serverframeworkand custom code
5
Introduction
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Web Application
Security
6
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
How attackers do it
Collecting info about the targeted system's stack OS and version number , Web server type (Apache, IIS,
etc.) Web development language. Check their data sources for all known exploits against any part of that stack. There are known vulnerabilities for each level of the stack.
Begin hacking away.
7
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Example Scenarios
Scenario #1:
• Your application relies on a powerful framework like Struts or Spring. • XSS flaws are found in these framework
components you rely on. • An update is released to fix these flaws but you
don’t update your libraries. • Until you do, attackers can easily find and exploit
these flaws in your app.
8
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Struts XSS
9
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Example Scenarios
10
Scenario #2: • The app server admin console is automatically
installed and not removed. • Default accounts aren’t changed. • Attacker discovers the standard admin pages
are on your server, logs in with default passwords and takes over.
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m 11
PHP MyAdmin
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
.NET
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx" />
12
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
How we protect our
selves
• Change default user accounts.• Delete unused pages and user accounts.• Turn off unused services .• Disable directory listings if they are not necessary, or
set access controls to deny all requests. • Stay up-to date on patches.• Consider internal attackers as well as external. • Use automated scanners.
13
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Change default
accounts
When you install an OS or server tool ,it has a default root account with a default password. Examples:
Windows - "Administrator"&"Administrator“ SQL Server - “ sa “ & no password Oracle "MASTER"&"PASSWORD“ Apache "root"&“ change this“
Make sure you change these passwords! Completely delete the accounts when possible
14
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Delete unused
accounts
As soon as an employee or contractor leaves, change his password.
Change his username. Move files and delete the account Look for old client accounts and delete them.
15
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Turn off unused services
Look through all running services, If they're not being used, turn them off.
Disable them upon system start up Pay particular attention to:
Services enabled upon install
― Remote debugging ― Remote registry
― Content management
In side IIS, too -- Directory browsing -- Ability to run scripts and executables
16
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
White List Pages
Serve only pages that are allowed. Intercept requests for pages and disallow any request for something other than...
*.html*.jsp*.js*.cssetc.
17
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Update Patches
Patch Tuesday is the most overlooked defense Day-one vulnerabilities
Subscribe to vendors‘ alert lists http://www.microsoft.com/security/pc-security/default.aspx#Security-Updates
RSS feed http://www.novell.com/company/rss/patches.html
18
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m 19
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Conclusions
Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives.
Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions.
While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan.
20
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Resources
OWASP Development Guide: Chapter on Configuration
OWASP Code Review Guide: Chapter on Error Handling
OWASP Testing Guide: Configuration Management OWASP
Testing Guide: Testing for Error Codes OWASP Top 102004 – Insecure
Configuration Management
CIS Security Configuration Guides/Benchmarks
http://www.spiralsecurity.com/blog/?p=190
21
OWASP Khartoum
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Questions