11 a6 security misconfiguration.pptx
DESCRIPTION
Part of the Web Application Security CourseTRANSCRIPT
![Page 1: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/1.jpg)
A6 Security Misconfiguration
Problem and Protection
![Page 2: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/2.jpg)
o
o
o
o
o
o
![Page 3: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/3.jpg)
Security Misconfiguration
o New to the OWASP Top 10. Was there in 2004. Dropped out in 2007
o This happens when the system admins, DBAs, and developers leave security holes in the configuration of computer systems
![Page 4: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/4.jpg)
How attackers do it
o Glean info about the targeted system's stack • OS and version number • Web server type (Apache, IIS, etc.) • RDBMS (MySQL, SQL Server, Oracle, etc.) • Web development language • Tools/libraries used (Castle, NHibernate, etc.)
o Check their data sources for all known exploits against any part of that stack. • There are known vulnerabilities for each level of the
stack. o Begin hacking away
![Page 5: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/5.jpg)
How we protect ourselves
o Don't give away info about your stack o Change default user accounts o Delete unused pages and user accounts o Turn off unused services o Whitelist pages o Stay up-to-date on patches o Consider internal attackers as well as
external o Use automated scanners
![Page 6: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/6.jpg)
Be secretive
o Obfuscate or anonymize ... • Error
messages • HTTP headers • URLs
o Don't let anyone know what makes up your stack • Anybody know for sure what the big boys use?
![Page 7: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/7.jpg)
Change default accounts
o When you install an OS or server tool, it has a default root account with a default password
o Examples: • Windows – "Administrator" & "Administrator" • Sql Server – "sa" & no password • Oracle – "MASTER" & "PASSWORD" • Apache – "root" & "changethis"
o Make sure you change these passwords! o Completely delete the accounts when possible
![Page 8: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/8.jpg)
Delete unused pages o Remove all files and
pages that are no longer needed
o Focus on: • Installation default and
sample pages • Pages that we've migrated • Old and backed-up config
files
![Page 9: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/9.jpg)
Delete unused accounts
o As soon as an employee or contractor leaves, change his password
o Change his username o Move files and delete the account o Look for old client accounts and delete them
![Page 10: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/10.jpg)
Turn off unused services o Look through all running services o If they're not being used, turn them off o Disable them upon system startup o Pay particular attention to:
• Services enabled upon install ― Remote debugging ― Content management
• Services turned on ad-hoc ― One-time use ― "This is a temporary fix. We'll put a better solution in later."
o Inside IIS, too • Directory browsing • Ability to run scripts and executables
![Page 11: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/11.jpg)
Whitelist pages
o Serve only pages that are allowed o Intercept requests for pages and disallow
any request for something other than ... • *.html • *.jsp • *.js • *.css • etc.
o Whitelists are better than blacklists
![Page 12: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/12.jpg)
Update patches
o Patch Tuesday is the most overlooked defense
o Day-one vulnerabilities
![Page 13: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/13.jpg)
Follow the news
o Subscribe to vendors' alert lists o RSS feed to Wired, Slashdot, etc. o Use Ifttt.com to get alerts sent to your email
or phone o Twitter users to follow:
• @ZeroDayDan – Insider's POV • @AaronPortnoy – Development techniques • @PaulDotCom – Podcasts & videos also • @SteveWerby – Hacker with a business mind
![Page 14: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/14.jpg)
Consider internal attackers
o Not just disgruntled folks either o Rootkits can be installed o Private files can be exposed o Web.config can't be served to browsers, but
it can be read by employees • Encrypt parts of it
![Page 15: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/15.jpg)
Use automated scanners
o Download and install one or more automated scanners • Microsoft Baseline Security Analyzer (MBSA) • WebScarab from OWASP • Burp • Paros
o After all, attackers will use tools like this against you
o Harden yourself against them
![Page 16: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/16.jpg)
Summary
o Many hackers find ways to damage our systems that can be stopped by some simple maintenance of the stack • Applying patches • Removing or changing authentication on
unneeded or default accounts • Whitelist the files served • Using automated scanners
![Page 17: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/17.jpg)
Like a garden ... If you tend to it a tiny bit every day, it will be beautiful But if you neglect it for a period of time, it gets very out-of-hand
![Page 18: 11 a6 security misconfiguration.pptx](https://reader033.vdocuments.net/reader033/viewer/2022051610/5492a1feb47959384d8b466c/html5/thumbnails/18.jpg)
Further study
o TED Talk on Stuxnet: o http://bit.ly/StuxnetTEDTalk
o Secure deployment section in the OWASP Development Guide: • http://www.owasp.org/index.php/Configuration
o DB of known default accounts: o http://www.cirt.net/passwords
o Vulnerability scanning software: o http://sectools.org/web-scanners.html