It's a presentation about A5 - Security Misconfiguration - Top ten - OWASP-2013.

1. Security
Misconfiguration
Sorina-Georgiana CHIRILĂ - 2013

2. About
●
“ This happens when
the system admins ,
DBAs and developers
leave security holes in the
configuration of computer
systems. ”
A5
http://www.inteco.es
htts://www.inteco.es

3. Idea(1)
Attacker accesses :
●
●
●
●
default accounts,
unused pages,
unpatched flaws,
unprotected files and directories.
Security misconfiguration can happen at any
level on an application stack:
●
●
●
●
●
including the platform,
web & application server,
database,
framework,
custom code.

4. Idea(2)
http://www.slideshare.net/tabaradetestare

5. Example
●
Get information about server type or current web development language .

6. Typical attack approach
●
●
Find information related to : OS type and version, libraries, tools, Web server type ,web
development language,
And then

7. How to prevent ?
●
●
●
●
●
●
●
●
●
●
Remove/ change default credentials,
Keep up to date software,
Look for disabling unused components or services,
Take in consideration automated scanners(OpenVAS, WATOBO,WebScarab, https://asafaweb.
com/),
Setup a process for security updates,
Use minimal privileges everywhere,
Remove all unused pages and user accounts,
Create whitelist pages,
Update patches(small piece of software used to correct a problem with OS for example),
Review configuration default for : frameworks, db, web server ….

8. Case studies

9. Resources
●
●
●
●
●
●
●
●
●
●
●
●
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration,
http://www.slideshare.net/skoussa/simplified-security-code-review-process,
http://www.slideshare.net/tabaradetestare/security-testing-21078196,
http://eric-diehl.com/category/security/,
http://www.slideshare.net/owaspkhartoum/owasp-kartoum-top-10-a6-8th-meeting,
https://www.mavitunasecurity.com/blog/owasp-top-10-2013/,
http://www.slideshare.net/RapPayne/a6-security-misconfigurationpptx,
http://www.slideshare.net/carlo.bonamico/is-my-web-application-secure-owasp-top-ten-security-risks-and-beyond,
https://isc.sans.edu/presentations/SANSFIRE2012-Russ_McRee-OWASPTop10.pdf,
http://projects.webappsec.org/w/page/13246914/Application%20Misconfiguration,
http://cwe.mitre.org/data/definitions/933.html,
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration.

10. Thank You!