2. INTRODUCTION
New to the OWASP Top 10.
Was there in 2004. On OWASP list in 2007.
This happens when the system administrators,
DBAs and developers leave security holes in the
configuration of computer systems.
OWASP 2
3. Security misconfiguration can happen at any level
of an application stack, including:
the platform,
web server,
application server,
framework,
and custom code
OWASP 3
5. How attackers do it
Collecting info about the targeted system's stack
OS and version number
Web server type (Apache, IIS, etc.)
RDBMS (My SQL, SQL Server, Oracle, etc.)
Web development language
Tools/libraries used (Hibernate, etc.)
Check their data sources for all known exploits against
any part of that stack.
There are known vulnerabilities for each level of
the stack.
Begin hacking away
OWASP 5
6. Example Scenarios
Scenario #1:
Your application relies on a powerful
framework like Struts or Spring.
XSS flaws are found in these framework
components you rely on.
An update is released to fix these flaws but
you don’t update your libraries.
Until you do, attackers can easily find and
exploit these flaws in your app.
OWASP 6
7. Example Scenarios
Scenario #2:
The app server admin console is automatically
installed and not removed.
Default accounts aren’t changed.
Attacker discovers the standard admin pages
are on your server, logs in with default
passwords and takes over.
OWASP 7
8. How we protect our selves
Don't give away info about your stack
Change default user accounts
Delete unused pages and user accounts
Turn off unused services
Disable directory listings if they are not
necessary, or set access controls to deny all
requests.
Stay up-to date on patches
Consider internal attackers as well as external.
Use automated scanners
OWASP 8
9. Change default accounts
When you install an OS or server tool ,it has a
default root account with a default password.
Examples:
Windows - "Administrator"&"Administrator“
SQL Server - “ sa “ & no password
Oracle "MASTER"&"PASSWORD“
Apache "root"&“ change this“
Make sure you change these passwords!
Completely delete the accounts when possible
OWASP 9
10. Delete unused accounts
As soon as an employee or contractor leaves,
change his password.
Change his username.
Move files and delete the account
Look for old client accounts and delete them.
OWASP 10
11. Turn off unused services
Look through all running services
If they're not being used, turn them off
Disable them upon system start up
Pay particular attention to:
Services enabled upon install
― Remote debugging
― Content management
Services turned on ad-hoc
― One-time use
― "This is a temporary repair.
We'll put a better solution in later.”
In side IIS, too
Directory browsing
Ability to run scripts and executables OWASP 11
12. White list pages
Serve only pages that are allowed.
Intercept requests for pages and disallow any
request for something other than...
*.html
*.jsp
*.js
*.css
etc.
OWASP 12
13. Update patches
Patch Tuesday is the most overlooked defense
* Patch Tuesday is usually the second Tuesday
of each month
Day-one vulnerabilities
Subscribe to vendors‘ alert lists
http://www.microsoft.com/security/pc-security/default.aspx#Security-Updates
RSS feed
http://www.novell.com/company/rss/patches.html
OWASP 13
14. CONCLUSIONS
Safeguarding your website from malicious users and
attacks is important, regardless of what type of site
you have or how many visitors your site receives.
Security misconfiguration or poorly configured
security controls, could allow malicious users to
change your website, obtain unauthorized access,
compromise files, or perform other unintended
actions.
While there is no one-size-fits-all security
configuration, you can use these points to develop a
plan that works for your situation, I hope that this
presentation help you to create such a plan.
OWASP 14
15. Resources
1. OWASP http://www.owasp.org/
2. DB of known default accounts
http://www.cirt.net/passwords
3. Web Protection Site Scanner
https://www.websiteprotection.com/
4. Vulnerability scanning software
http://sectools.org/web-scanners.html
OWASP 15