SlideShare a Scribd company logo

security misconfigurations

Download as PPTX, PDF
M
Megha Sahu

The document discusses security misconfiguration as the sixth most dangerous web application vulnerability according to the OWASP Top 10. It defines security misconfiguration as improper configuration settings that can enable attacks. The document outlines how attackers exploit default passwords and privileges, and provides examples of misconfigured systems. It recommends ways to prevent misconfiguration like changing defaults, deleting unnecessary accounts, and keeping systems updated. The document demonstrates how to detect hidden URLs and directory listings using Burp Suite and concludes that misconfiguration poses a high risk if not properly safeguarded against.

Related slideshows

Xss ppt
Xss pptXss ppt
Xss ppt
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
1 of 18
Security Misconfiguration By Megha Sahu
About me • Chapter Lead at Null Bhopal. • Pursuing BE in 4th year from UIT-RGPV. • Cyber Security Enthusiast. • Current Studying Machine Leaning. • Twitter handle @meghasahu24 • Null profile megha-sahu
Overview 1. What is OWASP Top 10 2. List of OWASP top 10[2017] 3. Introduction to Security Misconfiguration 4. Typical Attack approach 5. How we protect our selves? 6. Demo 1. Hidden URL 2. Directory Listing 7. Conclusion
What is OWASP top 10 • OWASP stand for Open Web Application Security Project. • OWASP Top 10 is a powerful awareness document for web application security. • The materials they offer include documentation, tools, videos, and forums are freely available and easily accessible on their website. • It is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
. • A1:-Injection • A2:-Broken Authentication • A3:-Sensitive Data Exposure • A4:-XML External Entities (XXE) • A5:-Broken Access Control • A6:-Security Misconfiguration • A7:-Cross-Site Scripting (XSS) • A8:-Insecure Deserialization • A9:-Using Components with Known Vulnerabilities • A10:-Insufficient Logging & Monitoring
Introduction to Security Misconfiguration • Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. • This happens when the system administrators, DBAs or developers leave security holes in the configuration. • Good security required proper configuration of systems.
. Security misconfiguration can happen at any level of an application stack, including: • The Platform • Web Server • Application Server • Framework • Custom Code Developers and system administrators need to work together to ensure that the entire stack is configured properly.
Typical attack approach • Find information related to :  OS type and version Libraries Tools Web server type web development language And then
• When you install an OS or server tool ,it has a default root account with a default password. • Examples: Windows - "Administrator“ & "Administrator“ SQL Server - “ sa “ & no password Oracle "MASTER“ & "PASSWORD“ Apache "root“ & “ change this“ Make sure you change these passwords! Completely delete the accounts when possible
How we protect our selves? Do not use default credentials. Delete unused pages and user accounts. Restrict roles and privileges. Stay up-to date on patches. Turn off unused services. Scans and audits(a popular open source tool for Linux is Security Onion) Restrict default configuration options. Strong encryption. Consider internal attackers as well as external. Disable directory listings.
security misconfigurations
Burp Suite
Example 1: • AIM : To find the hidden URL in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
Example 2 : • AIM : To find the Directory listing in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
Conclusion • Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. • Risk: The prevalence of web application misconfiguration is very high in IT industry. • Priority: Safeguarding web application from malicious users and attacks.
References • https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Pro ject • https://support.portswigger.net/customer/portal/articles/1965728-using- burp-to-test-for-security-misconfiguration-issues • https://www.youtube.com/watch?v=vheGnopQm6s&t=514s • https://www.cloudflare.com/learning/security/threats/owasp-top-10/ • https://resources.infosecinstitute.com/2017-owasp-a6-update-security- misconfiguration/#gref • https://bounty.github.com/classifications/security-misconfiguration.html • https://www.youtube.com/watch?v=ouuXu9_UM0w
security misconfigurations
security misconfigurations

More Related Content

security misconfigurations

  • 2. About me • Chapter Lead at Null Bhopal. • Pursuing BE in 4th year from UIT-RGPV. • Cyber Security Enthusiast. • Current Studying Machine Leaning. • Twitter handle @meghasahu24 • Null profile megha-sahu
  • 3. Overview 1. What is OWASP Top 10 2. List of OWASP top 10[2017] 3. Introduction to Security Misconfiguration 4. Typical Attack approach 5. How we protect our selves? 6. Demo 1. Hidden URL 2. Directory Listing 7. Conclusion
  • 4. What is OWASP top 10 • OWASP stand for Open Web Application Security Project. • OWASP Top 10 is a powerful awareness document for web application security. • The materials they offer include documentation, tools, videos, and forums are freely available and easily accessible on their website. • It is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
  • 5. . • A1:-Injection • A2:-Broken Authentication • A3:-Sensitive Data Exposure • A4:-XML External Entities (XXE) • A5:-Broken Access Control • A6:-Security Misconfiguration • A7:-Cross-Site Scripting (XSS) • A8:-Insecure Deserialization • A9:-Using Components with Known Vulnerabilities • A10:-Insufficient Logging & Monitoring
  • 6. Introduction to Security Misconfiguration • Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. • This happens when the system administrators, DBAs or developers leave security holes in the configuration. • Good security required proper configuration of systems.
  • 7. . Security misconfiguration can happen at any level of an application stack, including: • The Platform • Web Server • Application Server • Framework • Custom Code Developers and system administrators need to work together to ensure that the entire stack is configured properly.
  • 8. Typical attack approach • Find information related to :  OS type and version Libraries Tools Web server type web development language And then
  • 9. • When you install an OS or server tool ,it has a default root account with a default password. • Examples: Windows - "Administrator“ & "Administrator“ SQL Server - “ sa “ & no password Oracle "MASTER“ & "PASSWORD“ Apache "root“ & “ change this“ Make sure you change these passwords! Completely delete the accounts when possible
  • 10. How we protect our selves? Do not use default credentials. Delete unused pages and user accounts. Restrict roles and privileges. Stay up-to date on patches. Turn off unused services. Scans and audits(a popular open source tool for Linux is Security Onion) Restrict default configuration options. Strong encryption. Consider internal attackers as well as external. Disable directory listings.
  • 13. Example 1: • AIM : To find the hidden URL in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
  • 14. Example 2 : • AIM : To find the Directory listing in the Web Application • Requirement: oVirtual Machine • OWASP broken web application • OWASP web testing environment oBurp suite community Addition oFoxy proxy standard Add-on
  • 15. Conclusion • Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions. • Risk: The prevalence of web application misconfiguration is very high in IT industry. • Priority: Safeguarding web application from malicious users and attacks.
  • 16. References • https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Pro ject • https://support.portswigger.net/customer/portal/articles/1965728-using- burp-to-test-for-security-misconfiguration-issues • https://www.youtube.com/watch?v=vheGnopQm6s&t=514s • https://www.cloudflare.com/learning/security/threats/owasp-top-10/ • https://resources.infosecinstitute.com/2017-owasp-a6-update-security- misconfiguration/#gref • https://bounty.github.com/classifications/security-misconfiguration.html • https://www.youtube.com/watch?v=ouuXu9_UM0w