security misconfigurations
- 2. About me
• Chapter Lead at Null Bhopal.
• Pursuing BE in 4th year from UIT-RGPV.
• Cyber Security Enthusiast.
• Current Studying Machine Leaning.
• Twitter handle @meghasahu24
• Null profile megha-sahu
- 3. Overview
1. What is OWASP Top 10
2. List of OWASP top 10[2017]
3. Introduction to Security Misconfiguration
4. Typical Attack approach
5. How we protect our selves?
6. Demo
1. Hidden URL
2. Directory Listing
7. Conclusion
- 4. What is OWASP top 10
• OWASP stand for Open Web Application Security Project.
• OWASP Top 10 is a powerful awareness document for web application security.
• The materials they offer include documentation, tools, videos, and forums are
freely available and easily accessible on their website.
• It is a regularly-updated report outlining security concerns for web application
security, focusing on the 10 most critical risks.
- 5. .
• A1:-Injection
• A2:-Broken Authentication
• A3:-Sensitive Data Exposure
• A4:-XML External Entities (XXE)
• A5:-Broken Access Control
• A6:-Security Misconfiguration
• A7:-Cross-Site Scripting (XSS)
• A8:-Insecure Deserialization
• A9:-Using Components with Known Vulnerabilities
• A10:-Insufficient Logging & Monitoring
- 6. Introduction to Security Misconfiguration
• Misconfiguration is define as configuration mistakes that results in unintended
application behavior that includes misuse of default passwords, privileges, and
excessive debugging information disclosure.
• This happens when the system administrators, DBAs or developers leave security
holes in the configuration.
• Good security required proper configuration of systems.
- 7. .
Security misconfiguration can happen at any level of an application stack, including:
• The Platform
• Web Server
• Application Server
• Framework
• Custom Code
Developers and system administrators need to work together to ensure that the entire stack
is configured properly.
- 8. Typical attack approach
• Find information related to :
OS type and version
Libraries
Tools
Web server type
web development language
And then
- 9. • When you install an OS or server tool ,it has a default root account with a default
password.
• Examples:
Windows - "Administrator“ & "Administrator“
SQL Server - “ sa “ & no password
Oracle "MASTER“ & "PASSWORD“
Apache "root“ & “ change this“
Make sure you change these passwords! Completely delete the accounts when
possible
- 10. How we protect our selves?
Do not use default credentials.
Delete unused pages and user accounts.
Restrict roles and privileges.
Stay up-to date on patches.
Turn off unused services.
Scans and audits(a popular open source tool for Linux is Security Onion)
Restrict default configuration options.
Strong encryption.
Consider internal attackers as well as external.
Disable directory listings.
- 13. Example 1:
• AIM : To find the hidden URL in the Web Application
• Requirement:
oVirtual Machine
• OWASP broken web application
• OWASP web testing environment
oBurp suite community Addition
oFoxy proxy standard Add-on
- 14. Example 2 :
• AIM : To find the Directory listing in the Web Application
• Requirement:
oVirtual Machine
• OWASP broken web application
• OWASP web testing environment
oBurp suite community Addition
oFoxy proxy standard Add-on
- 15. Conclusion
• Security misconfiguration or poorly configured security controls, could allow
malicious users to change your website, obtain unauthorized access, compromise
files, or perform other unintended actions.
• Risk: The prevalence of web application misconfiguration is very high in IT
industry.
• Priority: Safeguarding web application from malicious users and attacks.