Definition by OWASP:
|
Good security configuration
means deploying and defined for the application framework, app server, web
server, database server and platform. All these settings would be defined, deployed
and maintained for the application not shipped with defaults. This security
configuration will contain updated software up to date and all coded
libraries used by the application.
|
Security Misconfiguration attack will occur in any
stage of application. It may affect in application framework, application
Server, Web Server, database server and platform.
·
The
System gets compromised without you knowing it. All your data could be stolen
or modified slowly over period of time.
·
Recovery
of information is very expensive.
·
Consider
internal user account and external outsider may attempt to compromise the
System and want to disguise the actions.
·
Developers
and Network Administrator will work together to ensure the configuration done
properly.
·
Make sure
you are having process for maintaining installed software to be updated, automatic
patches running and updated coded libraries.
Thinks to keep in mind
·
Do you
have up to date software installed in your computer?
§ (Coded libraries, Os patch files,
Web server, database and applications)
·
Is
everything getting disabled/ removed or not installed?
§ (Ports, Services, account, pages
and Privileage)
·
Disable
or Change the default account password.
·
Disable or
Removed Unused Pages/ Files/ Services.
·
In error
handling technique the stack trace will expose the over informative message
from leaking.
·
Consider strong
security in development framework help in configured properly.
Identify Security Misconfiguration Occurrence
·
Identical
configuration set up will be done in development /Testing /Production
Environment will help us minimize effort required to set up, fastest and
easiest way in deployment.
·
Run the
scanner and periodical audit will help us to identify the future security
misconfiguration and missing patches files.
Protect from Security Misconfiguration
Customize error message
In
error handling stack traces and other very informative error messages will be
exposed.
To pervert stack traces and other very informative
error message
SET <customErrors mode="On" /> in web
config.
In web configuration set configuration will
redirect to common error web page which will display like below image,
SET <customErrors
mode="On" redirectMode="ResponseRewrite"
defaultRedirect="~/Error.aspx" />
Change default account:
When you
are trying to install an OS or Server tool it has default username with default
password.
User Name Password
OS-WINDOWS “Administrator” “Administrator”
DB-SQL Server “Sa” &
not with password
DB-ORACLE “MASTER” “PASSWORD”
WEBSERVER-Apache “ROOT” “CHANGETHIS”
·
Change
the default username and password.
·
Completely
delete account if possible.
Delete Unused Pages and Unused Account
·
Removed
the unused pages, files that are no longer used in application.
·
Focused
on installed and default pages. Old and backed up configuration files.
·
Removed
the unused account or the person leaves from the company.
·
Clear the
user account or modify the user account password.
Disable debugging
Avoid running the
application by default debug mode set to true. This will lead slow execution of
application.
Request validation, DotNetNuke, Designutiopia
is your safety net – don’t turn it off!
Getting back to XSS, request validation
ensures that when a potentially malicious string is sent to the server via
means such as form data or query string, the safety net is deployed (traction
control on – throttle cut), and the string is caught before it’s actually
processed by the app.
Update
Patches
·
Update
patches, library files and software if it gets updated.
Use
automated Scanners
·
Scanners are useful for detecting missing patches and
misconfiguration.
·
Download and install one or more automated
scanners.
• Microsoft Baseline Security Analyzer (MBSA)
• Web Scarab from OWASP
Check List for protecting Security Misconfiguration
Considering
|
Verified/Not
|
|
Check Updated Software installed.
|
Software installed.
|
|
Operating System Patch files.
|
||
Code libraries dll.
|
||
Disable/Removed / not installed - Configuration
Settings.
|
Ports
|
|
Services
|
||
Accounts
|
||
Pages
|
||
Privileges
|
||
Strong Framework
|
To avoid XSS attack in some unprotected Application
Framework.
|
|
Install one or more Automation Scanners
|
MSBA(Microsoft Baseline Security Analyser)/Web
Scarab from OWASP
|
|
Customize Error Message
|
Stack trace will expose over informative message.
Instead Open default Error page to avoid exposing information.
|
Summary
Attackers find many ways to
affect our application that can be stopped by some simple maintenance of the stack.
·
Applying Patches.
·
Removing or modifying authentication for default
or unneeded accounts.
·
Customise error message.
·
Using Automated Scanners.
Some Example Scenarios for Security Misconfiguration
Scenario #1:
Your application relies on a powerful framework like Struts or Spring.
XSS flaws are found in these framework components you rely on. An update is
released to fix these flaws but you don’t update your libraries. Until you do,
attackers can easily find and exploit these flaws in your app.
Scenario #2:
The app
server admin console is automatically installed and not removed. Default account
isn’t changed. Attacker discovers the standard admin pages are on your server,
logs in with default passwords, and takes over.
Scenario #3:
Directory listing is
not disabled on your server. Attacker discovers she can simply list directories
to find any file. Attacker finds and downloads all your compiled Java classes,
which she reverse engineers to get all your custom code. She then finds a
serious access control flaw in your application.
Scenario #4:
App server
configuration allows stack traces to be returned to users, potentially exposing
underlying flaws. Attackers love the extra information error messages provide.
No comments :
Post a Comment