OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration

OWASP Khartoum

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

o w a s p . o r g / i n d e x . p h p / K h a r t o u m

Ali [email protected]

Security misconfigurationTOP 10#A6

OWASP Khartoum


o w a s p . o r g / i n d e x . p h p / K h a r t o u m 2

New to the OWASP Top 10.

Was there in 2004. On OWASP list in 2007.

System admins, DBAs and developers leave security holes in the configuration of computer systems.

Introduction

OWASP Khartoum



Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.

Definition

OWASP Khartoum



Threat

AgentsAttack Vectors

Security Weakness Technical Impacts

Business Impact

Exploitability EASY Prevalence

COMMONDetectability

EASY

Impact MODERATE

Consider anonymous external attackers as well as users with their own accounts that may attempt to compromise the system. Also consider insiders wanting to disguise their actions.

Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.

Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.

Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.

The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time.

Recovery costs could be expensive

4

OWASP Khartoum



Security misconfiguration can happen at any level of an application stack, including:

the platformweb serverapplication serverframeworkand custom code

5

Introduction

OWASP Khartoum



Web Application

Security

6

OWASP Khartoum



How attackers do it

Collecting info about the targeted system's stack OS and version number , Web server type (Apache, IIS,

etc.) Web development language. Check their data sources for all known exploits against any part of that stack. There are known vulnerabilities for each level of the stack.

Begin hacking away.

7

OWASP Khartoum



Example Scenarios

Scenario #1:

• Your application relies on a powerful framework like Struts or Spring. • XSS flaws are found in these framework

components you rely on. • An update is released to fix these flaws but you

don’t update your libraries. • Until you do, attackers can easily find and exploit

these flaws in your app.

8

OWASP Khartoum



Struts XSS

9

OWASP Khartoum



Example Scenarios

10

Scenario #2: • The app server admin console is automatically

installed and not removed. • Default accounts aren’t changed. • Attacker discovers the standard admin pages

are on your server, logs in with default passwords and takes over.

OWASP Khartoum



PHP MyAdmin

OWASP Khartoum



.NET

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx" />

12

OWASP Khartoum



How we protect our

selves

• Change default user accounts.• Delete unused pages and user accounts.• Turn off unused services .• Disable directory listings if they are not necessary, or

set access controls to deny all requests.  • Stay up-to date on patches.• Consider internal attackers as well as external. • Use automated scanners.

13

OWASP Khartoum



Change default

accounts

When you install an OS or server tool ,it has a default root account with a default password. Examples:

Windows - "Administrator"&"Administrator“ SQL Server - “ sa “ & no password  Oracle "MASTER"&"PASSWORD“ Apache "root"&“ change this“

Make sure you change these passwords! Completely delete the accounts when possible

14

OWASP Khartoum



Delete unused

accounts

As soon as an employee or contractor leaves, change his password.

Change his username.  Move files and delete the account  Look for old client accounts and delete them.

15

OWASP Khartoum



Turn off unused services

Look through all running services, If they're not being used, turn them off.

Disable them upon system start up  Pay particular attention to: 

Services enabled upon install

― Remote debugging ― Remote registry

― Content management

In side IIS, too  -- Directory browsing -- Ability to run scripts and executables

16

OWASP Khartoum



White List Pages

Serve only pages that are allowed.  Intercept requests for pages and disallow any request for something other than...

*.html*.jsp*.js*.cssetc.

17

OWASP Khartoum



Update Patches

Patch Tuesday is the most overlooked defense Day-one vulnerabilities 

Subscribe to vendors‘ alert lists http://www.microsoft.com/security/pc-security/default.aspx#Security-Updates

RSS feed http://www.novell.com/company/rss/patches.html

18

http://www.microsoft.com/security/pc-security/default.aspx

http://www.microsoft.com/security/pc-security/default.aspx

http://www.novell.com/company/rss/patches.html

OWASP Khartoum



OWASP Khartoum



Conclusions

Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives.

Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions.

While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan.

20

OWASP Khartoum



Resources

OWASP Development Guide: Chapter on Configuration

OWASP Code Review Guide: Chapter on Error Handling

OWASP Testing Guide: Configuration Management OWASP

Testing Guide: Testing for Error Codes OWASP Top 102004 – Insecure

Configuration Management

CIS Security Configuration Guides/Benchmarks

http://www.spiralsecurity.com/blog/?p=190

21

https://www.owasp.org/index.php/Configuration



https://www.owasp.org/index.php/Error_Handling



https://www.owasp.org/index.php/Testing_for_configuration_management

https://www.owasp.org/index.php/Testing_for_configuration_management

https://www.owasp.org/index.php/Testing_for_Error_Code_(OWASP-IG-006)



https://www.owasp.org/index.php/A10_2004_Insecure_Configuration_Management




http://cisecurity.org/en-us/?route=downloads.benchmarks





OWASP Khartoum



Questions

OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration

Documents

Transcript of OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration