SlideShare une entreprise Scribd logo

Security Misconfiguration (OWASP Top 10 - 2013 - A5)

P
Pichaya Morimoto

Event: OWASP Thailand Meeting 7/2016 (Free Event) Topic: Security Misconfiguration (OWASP Top 10 2013 – A5) Date & Time: Thursday, July 28 at 6 PM - 9 PM Location: Securities and Exchange Commission, Thailand (SEC, a government organization) 16th floor, Room No. 1601 333/3, 333/3 Vibhavadi Rangsit Rd, Chom Phon, Chatuchak, Bangkok 10900 Link Map: https://goo.gl/0akY6d Agenda 18.00 - 18.30 Registration 18.30 - 18.45 Welcome speech 18.45 - 20.45 Topic: Security Misconfiguration (OWASP Top 10 2013 – A5) Pichaya Morimoto IT Security Consultant SEC Consult (Thailand) Co., Ltd. 20.45 - 21.00 Closing Session

Technologie
1  sur  64
Télécharger pour lire hors ligne
Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Security Misconfiguration Version: 1.0 Date: 2016.07.28 Author: P. Morimoto Responsible: P. Morimoto Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Vienna (HQ) | AT Wiener Neustadt | AT Vilnius | LT Berlin| DE Montreal | CA Singapore | SG Moscow | RU Zurich | CH SEC Consult Offices SEC Consult Clients Bangkok | TH SEC Consult – Who we are Found in 2002 70+ Security Experts 400+ Security Audits per year Globally operating SEC Consult Vulnerability Lab Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Advisor for information security Expert for the implementation of security processes and policies (ISO 27001, BS 25999, GSHB) Leading company for technical security audits Specialist for web application security according to ONR 17700 Independent of product manufacturers Our customers are public authorities, financial institutions and insurance companies in Central Europe Sectoral orientation (defence, public, finance, industry) SEC Consult – Who we are 3 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 4 ISO/IEC 27001 Certificate entire company within certification scope certified since 16.01.2008 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 5 SEC Consult Vulnerability Lab European leading research lab for the identification of vulnerabilities and the analysis of new technologies, products and applications (security advisories) Integral part of the education and the further training of the security experts at SEC Consult Early information of our customers due to SEC Consult security alerts Support of well-known manufacturers to enhance the security of their products Companies and organisations SEC Consult has released security advisories for (excerpt). For details see: http://www.sec-consult.com/72.html Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 6 Who Am I ? (Professional) Pichaya Morimoto IT Security Consultant Certifications: • GIAC Web Application Penetration Tester (GWAPT) • Certified Ethical Hacker (CEH) Published Security Advisories: • 2014 - Privilege Escalation in Snort pfSense Package - Wordpress TimThumb 2.8.13 WebShot RCE - HybridAuth install.php PHP RCE • 2015 - PHP MoAdmin 1.1.2 RCE - Schedule Facebook Posts 1.5.6 SQL Injection - Lime Survey Multiple Critical Vulnerabilities • 2016 - Yeager CMS Multiple Critical Vulnerabilities - ASUS DSL-N55U router Multiple Vulnerabilities Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 7 Who Am I ? (Personal) Administrator of สอนแฮกเว็บแบบแมว ๆ CTF Player of Pwnladin Team Co-Moderator of 2600 Thailand Group Security Addict http://thehackernews.com/2014/06/zero-day-timthumb-webshot-vulnerability.html Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 8 Who Am I ? (Personal) • bug bounties • responsible disclosures Metasploit modules: • exploit/multi/http/phpmoadmin_exec • exploit/unix/webapp/hybridauth_install _php_exec • auxiliary/admin/http/limesurvey_file_ download and a lot more private exploit research and developments : ) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 9 Bug Bounty Hunter Wannabe To Be Announced… Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 10 OWASP Thailand Chapter OWASP Thailand Meeting 3/2014 Topic: SQL Injection 101 : It is not just about ' or '1'='1 OWASP Thailand Meeting 5/2015 Topic: SQLi + Secure Coding with Hands-on Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 11 OWASP Top 10 - 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 12 A5 ? Source: http://www.yi-ren.net/pics/2008/080816-CUT/DSCF1787.jpg Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 13 A5 - Security Misconfiguration Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc. Source: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 14 A5 - Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. Source: https://www.owasp.org/index.php/Top_10_2013-Top_10 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 15 OWASP Top 10 – 2010 / 2013 Source: https://www.owasp.org/index.php/Top_10_2013-Release_Notes Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 16 Content Overview • Information disclosures • Directory listing • Stack traces or debug mode • Outdated or unpatched software • Default credential • Unnecessary features • Unprotected resources • Missing security headers / cookie flags • Overly permissive policies • CNAME record and unclaimed S3 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 17 Information Disclosure - 1 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 18 Nginx HTTP Server 1.3.9-1.4.0 Stack Buffer Overflow Source: https://www.exploit-db.com/exploits/25775/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 19 PHP < 5.3.4 NULL Byte Injection in Paths Source: http://php.net/releases/5_3_4.php Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 20 Information Disclosure - 2 BIGipServerRSSO? Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public Cookie is a hacker’s friend.
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 21 Fingerprint Web Application Framework (OTG-INFO-008) How to Test - HTTP headers - Cookies - HTML source code - Specific files and folders Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public Source: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 22 Django Fingerprint by Anti-CSRF errors (1/3) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 23 Django Fingerprint by Anti-CSRF errors (2/3) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 24 Django Fingerprint by Anti-CSRF errors (3/3) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 25 Directory Listing Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 26 Directory Listing – Special Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 27 HTTP Verb Tampering (OTG-INPVAL-003) Source: https://www.owasp.org/index.php?title=Testing_for_HTTP_Verb_Tampering_(OTG-INPVAL-003) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 28 Stack Traces / Debug Mode Source: https://hackerone.com/reports/128853 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 29 Stack Trace with Partial Source Code Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 30 Stack Trace with Database Password [2002] SQLSTATE[HY000] [2002] No such file or directory #0 /usr/share/php/Doctrine/DBAL/Driver/PDOConnection.php(40): PDO->__construct('mysql:host=loca...', 'owncloud', 'database password...', Array) #1 /usr/share/php/Doctrine/DBAL/Driver/PDOMySql/Driver.php(41): DoctrineDBALDriverPDOConnection->__construct('mysql:host=loca...', 'owncloud', 'database password...', Array) #2 /usr/share/php/Doctrine/DBAL/Connection.php(356): DoctrineDBALDriverPDOMySqlDriver->connect(Array, 'owncloud', 'database password...', Array) #3 /usr/share/php/Doctrine/DBAL/Connection.php(680): DoctrineDBALConnection->connect() #4 /usr/share/owncloud/lib/private/db/connection.php(107): DoctrineDBALConnection->executeQuery ('SELECT `configv...', Array, Array, NULL)#5 /usr/share/owncloud/lib/private/appconfig.php(259): OCDBConnection->executeQuery('SELECT `configv...', Array)#6 /usr/share/owncloud/lib/private/app.php(184): OCAppConfig->getValues(false, 'enabled')#7 /usr/share/owncloud/lib/private/app.php(69): OC_App::getEnabledApps()#8 /usr/share/owncloud/lib/base.php(515): OC_App::loadApps(Array) #9 /usr/share/owncloud/lib/base.php(1012): OC::init() #10 /usr/share/owncloud/index.php(26): require_once('/usr/share/ownc...')#11 {main} Source: https://github.com/owncloud/core/issues/11325 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 31 Outdated Software / Missing Security Patches - http://seclists.org/fulldisclosure/ - https://cve.mitre.org/cve/cve.html - https://www.exploit-db.com/ - … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 32 Default Passwords / Default Accounts admin:password admin:admin admin:qwerty admin:12345 admin:123456 … Source: http://www.4gltemall.com/blog/wp-content/uploads/2013/10/Back-stick-of-HUAWEI-B593u-12.jpg Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 33 Default Passwords / Default Accounts Source: https://doc.pfsense.org/index.php/Installing_pfSense#pfSense_Default_Configuration Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 34 Default Passwords / Default Accounts Source: http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/TypesofSplunklicenses Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 35 Default Secret Token Source: http://exfiltrated.com/research-Instagram-RCE.php Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 36 Default Encryption Key Source: http://www.slideshare.net/pichayaa/from-web-vulnerability-to-exploit-in-15-minutes Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 37 Unnecessary Features – Apache’s mod_info Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 38 Unnecessary Features – PHP INFO - PHP version - document_root - $PATH - Environment variables - disable_functions - allow_url_fopen - allow_url_include - open_basedir - … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 39 Unnecessary Features – robots.txt, sitemap.xml http://example.com/robots.txt User-agent: * Disallow: /Admin Disallow: /uploads Disallow: /backup Disallow: /~jbloggs Disallow: /include Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public Source: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 40 Web Server – Missing Security Headers HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 41 Strict-Transport-Security HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To protect websites against protocol downgrade attacks and cookie hijacking Values: Value Description max-age=SECONDS The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. includeSubDomains If this optional parameter is specified, this rule applies to all of the site's subdomains as well. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 42 X-Frame-Options HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To improve the protection of web applications against Clickjacking Values: Value Description deny No rendering within a frame. sameorigin No rendering if origin mismatch. allow-from: DOMAIN Allows rendering if framed by frame loaded from DOMAIN. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 43 X-XSS-Protection HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To enables the Cross-site scripting (XSS) filter in your browser. Values: Value Description 0 Filter disabled. 1 Filter enabled. If a XSS is detected, in order to stop the attack, the browser will sanitize the page. 1; mode=block Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page. 1; report=http://[YOURDOMAIN]/your_re port_URI Filter enabled. The browser will sanitize the page and report the violation. This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 44 X-Content-Type-Options HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To prevent MSIE and Chrome from interpreting files as something else than declared by the content type in the HTTP headers. Values: Value Description nosniff will prevent Internet Explorer and Chrome from MIME- sniffing a response away from the declared content-type. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 45 Public Key Pinning Extension for HTTP (HPKP) HTTP/1.1 200 OK public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. Values: Value Description pin-sha256="<sha256>" The quoted string is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future. max-age=SECONDS The time, in seconds, that the browser should remember that this site is only to be accessed using one of the pinned keys. includeSubDomains If this optional parameter is specified, this rule applies to all of the site's subdomains as well. report-uri="<URL>" If this optional parameter is specified, pin validation failures are reported to the given URL. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 46 Content-Security-Policy HTTP/1.1 200 OK content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data:;style-src * 'unsafe-inline' data:;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: chrome-extension://boadgeojelhgndaghljhdicfkmllpafd; Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com […] Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To prevents a wide range of (client side) attacks, including Cross-site scripting and other cross-site injections. Values: [.. See in source link ..] Example: Content-Security-Policy: script-src 'self' Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 47 Testing for cookies attributes (OTG-SESS-002) Source: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002) • Secure Attribute • HttpOnly Attribute • Domain Attribute • Path Attribute • Expires Attribute Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 48 Unprotected files and directories - http://example.com/backup.zip - http://example.com/dump.sql - http://example.com/password.txt - http://example.com/wp-config.php.txt - http://example.com/db-config.txt … Source: https://hackerone.com/reports/33083 … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 49 Unprotected Administrator Pages http://example.com/admin/ http://example.com/backend/ http://example.com/backoffice/ … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 50 Publicly accessible Tomcat Manager • HTTP Basic Auth • Brute force-able http://example.com:8443/manager/ http://example.com:8080/manager/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 51 Unprotected Code Repository (Git, SVN) Source: https://hackerone.com/reports/72243 http://example.com/.git/ http://example.com/.svn/entries … Exploit: $ svn checkout <URL> $ git clone <URL> or https://github.com/kost/dvcs-ripper Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 52 Unprotected Docker Repository $ docker pull <URL> Source: https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 53 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) Source: https://www.owasp.org/index.php/Review_Old,_Backup_and_ Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) Programmers’ comments: <!-- <A HREF="uploadfile.jsp">Upload a document to the server</A> --> <!-- Link removed while bugs in uploadfile.jsp are fixed --> JavaScript may contain page links that are only rendered within the user’s GUI under certain circumstances: var adminUser=false; if (adminUser) menu.add (new menuItem ("Maintain users", "/admin/useradmin.jsp")); HTML pages may contain FORMs that have been hidden by disabling the SUBMIT element: <FORM action="forgotPassword.jsp" method="post"> <INPUT type="hidden" name="userID" value="123"> <!-- <INPUT type="submit" value="Forgot Password"> --> </FORM> Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 54 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) Source: https://www.ssllabs.com/ssltest/analyze.html?d=www.gmail.com&s=216.58.194.165&latest Online - https://www.ssllabs.com/ Offline - OpenSSL toolkit - Nessus, Nmap scripts - https://github.com /drwetter/testssl.sh/ - … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 55 Overly permissive Adobe's crossdomain.xml policy (OTG-CONFIG-008) Bad: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/> </cross-domain-policy> Source: https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_(OTG-CONFIG-008) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 56 Overly permissive Adobe's crossdomain.xml policy (OTG-CONFIG-008) Good: <cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas /PolicyFile.xsd"> <allow-access-from domain="twitter.com"/> <allow-access-from domain="api.twitter.com"/> <allow-access-from domain="search.twitter.com"/> <allow-access-from domain="static.twitter.com"/> <site-control permitted-cross-domain-policies="master-only"/> <allow-http-request-headers- from domain="*.twitter.com" headers="*" secure="true"/> </cross-domain-policy> Source: https://twitter.com/crossdomain.xml Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 57 Overly permissive CORS policy Source: https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing, Bad: HTTP/1.1 200 OK [...] Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true [...] Good: HTTP/1.1 200 OK […] Access-Control-Allow-Origin: https://www.facebook.com Access-Control-Allow-Credentials: true […] Please note that it is only acceptable to do this if the origin has no sensitive content. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 58 Windows Short (8.3) filename expansion Source: http://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ C:> dir X You can replace: http://example.com/backup-082119f75623eb7abd7bf357698ff66c.sql With: http://example.com/BACKUP~1.SQL Exploit: https://github.com/irsdl/IIS-ShortName-Scanner Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 59 Mitigate Security Misconfiguration Vulnerabilities 1. RTFM : Read the Fantastic Manual 2. Do regular configuration audit 3. Deploy or harden configurations by using automated methods (scripts, ansible, puppet, chef etc.) 4. Implement patch and configuration management procedures Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 60 DNS CNAME to subdomain take over ? Source: https://hackerone.com/reports/149679 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 61 Customizing Amazon S3 URLs with CNAMEs “ Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/. The bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com. “ Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html, https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 62 DNS CNAME + unclaimed Amazon S3 bucket Source: https://hackerone.com/reports/121461, https://hackerone.com/reports/125118 , https://hackerone.com/reports/32825, https://hackerone.com/reports/109699 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved For any further questions contact your SEC Consult Expert. Pichaya Morimoto p.morimoto@sec-consult.com SEC Consult (Thailand) Co., Ltd. 29/1 Piyaplace Langsuan Building, 16B Soi Langsuan, Lumpini, Pathumwan Bangkok 10330, Thailand www.sec-consult.com Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 64 Contact GERMANY SEC Consult Unternehmensberatung Deutschland GmbH Bockenheimer Landstraße 17-19 60325 Frankfurt / Main Tel +49 69 175 373 43 | Fax +49 69 175 373 44 Email office-frankfurt@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Mooslackengasse 17 1190 Vienna Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15 Email office@sec-consult.com LITHUANIA UAB Critical Security, a SEC Consult company Sauletekio al. 15-311 10224 Vilnius Tel +370 5 2195535 Email office-vilnius@sec-consult.com RUSSIA CJCS Security Monitor 5th Donskoy proyezd, 15, Bldg. 6 119334, Moscow Tel +7 495 662 1414 Email info@securitymonitor.ru SINGAPORE SEC Consult Singapore PTE. LTD 4 Battery Road #25-01 Bank of China Building Singapore (049908) Email office-singapore@sec-consult.com CANADA i-SEC Consult Inc. 100 René-Lévesque West, Suite 2500 Montréal (Quebec) H3B 5C9 Email office-montreal@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Komarigasse 14/1 2700 Wiener Neustadt Tel +43 1 890 30 43 0 Email office@sec-consult.com THAILAND SEC Consult (Thailand) Co., Ltd. 29/1 Piyaplace Langsuan Building 16th Floor, 16B Soi Langsuan, Ploen Chit Road Lumpini, Patumwan | Bangkok 10330 Tel +66 02 041 1146 Email office-bangkok@sec-consult.com www.sec-consult.com Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public

Recommandé

Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql InjectionNSConclave
 

Recommandé

Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql InjectionNSConclave
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Vulnérabilité des sites web
Vulnérabilité des sites webVulnérabilité des sites web
Vulnérabilité des sites webSaid Sadik
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass WorkshopAruba, a Hewlett Packard Enterprise company
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 

Contenu connexe

Tendances

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Vulnérabilité des sites web
Vulnérabilité des sites webVulnérabilité des sites web
Vulnérabilité des sites webSaid Sadik
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 

Tendances (20)

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Vulnérabilité des sites web
Vulnérabilité des sites webVulnérabilité des sites web
Vulnérabilité des sites web
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass Workshop
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 

En vedette

Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?Pichaya Morimoto
 
OWASP Top 10 2013
OWASP Top 10 2013OWASP Top 10 2013
OWASP Top 10 2013markstory
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesPichaya Morimoto
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Pichaya Morimoto
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
PHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codePHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codeMichal Juhas
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesPichaya Morimoto
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksNitish Kumar
 
Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voJirka Vejrazka
 
Metasearch Outlook 2017
Metasearch Outlook 2017Metasearch Outlook 2017
Metasearch Outlook 2017Michal Juhas
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksKevin Alcock
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)guest32e5cfe
 

En vedette (20)

Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
 
OWASP Top 10 2013
OWASP Top 10 2013OWASP Top 10 2013
OWASP Top 10 2013
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposure
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
PHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the codePHP Frameworks, or how I learnt to stop worrying and love the code
PHP Frameworks, or how I learnt to stop worrying and love the code
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Sql injection attack_analysis_py_vo
Sql injection attack_analysis_py_voSql injection attack_analysis_py_vo
Sql injection attack_analysis_py_vo
 
Metasearch Outlook 2017
Metasearch Outlook 2017Metasearch Outlook 2017
Metasearch Outlook 2017
 
Protecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacksProtecting your data from SQL Injection attacks
Protecting your data from SQL Injection attacks
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)Sql Injection Attacks And Defense Presentatio (1)
Sql Injection Attacks And Defense Presentatio (1)
 
Sql injection
Sql injectionSql injection
Sql injection
 

Similaire à Security Misconfiguration (OWASP Top 10 - 2013 - A5)

Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Pichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPichaya Morimoto
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...p6academy
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesPositive Hack Days
 
Data Consult - Managed Security Services
Data Consult - Managed Security ServicesData Consult - Managed Security Services
Data Consult - Managed Security ServicesJad Bejjani
 
IBM Streams V4.1 Integration with IBM Platform Symphony
IBM Streams V4.1 Integration with IBM Platform SymphonyIBM Streams V4.1 Integration with IBM Platform Symphony
IBM Streams V4.1 Integration with IBM Platform Symphonylisanl
 
Zerto - Software Defined Disaster Recovery
Zerto - Software Defined Disaster RecoveryZerto - Software Defined Disaster Recovery
Zerto - Software Defined Disaster RecoveryVMUG IT
 
Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)Eugenio Minardi
 
Secure Drupal, from start to finish
Secure Drupal, from start to finishSecure Drupal, from start to finish
Secure Drupal, from start to finishBoy Baukema
 
MuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On Premise
MuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On PremiseMuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On Premise
MuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On PremiseJitendra Bafna
 
APN Auckland Event 9 - Scrum 101, Unleashing the Theory
APN Auckland Event 9 - Scrum 101, Unleashing the TheoryAPN Auckland Event 9 - Scrum 101, Unleashing the Theory
APN Auckland Event 9 - Scrum 101, Unleashing the TheoryCarolyn Sanders
 
Mulesoftmeetup Thiruvanathapuram #4
Mulesoftmeetup Thiruvanathapuram #4Mulesoftmeetup Thiruvanathapuram #4
Mulesoftmeetup Thiruvanathapuram #4Anurag Dwivedi
 
Securityinfosearch introduction
Securityinfosearch introductionSecurityinfosearch introduction
Securityinfosearch introductionsequraconsulting
 
How to Build More Secure Service Brokers
How to Build More Secure Service BrokersHow to Build More Secure Service Brokers
How to Build More Secure Service BrokersVMware Tanzu
 
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Jonnyhyde
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015Martin Thompson
 

Similaire à Security Misconfiguration (OWASP Top 10 - 2013 - A5) (20)

Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research Laboratory
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...
 
Alexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of AppliancesAlexander Antukh. (In)security of Appliances
Alexander Antukh. (In)security of Appliances
 
Alexander Antukh
Alexander AntukhAlexander Antukh
Alexander Antukh
 
Data Consult - Managed Security Services
Data Consult - Managed Security ServicesData Consult - Managed Security Services
Data Consult - Managed Security Services
 
IBM Streams V4.1 Integration with IBM Platform Symphony
IBM Streams V4.1 Integration with IBM Platform SymphonyIBM Streams V4.1 Integration with IBM Platform Symphony
IBM Streams V4.1 Integration with IBM Platform Symphony
 
Zerto - Software Defined Disaster Recovery
Zerto - Software Defined Disaster RecoveryZerto - Software Defined Disaster Recovery
Zerto - Software Defined Disaster Recovery
 
Triskell Autumn 2013 version (english)
Triskell Autumn 2013 version (english)Triskell Autumn 2013 version (english)
Triskell Autumn 2013 version (english)
 
Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)Secure Drupal, from start to finish (European Drupal Days 2015)
Secure Drupal, from start to finish (European Drupal Days 2015)
 
Secure Drupal, from start to finish
Secure Drupal, from start to finishSecure Drupal, from start to finish
Secure Drupal, from start to finish
 
MuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On Premise
MuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On PremiseMuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On Premise
MuleSoft Surat Virtual Meetup#37 - Anypoint Monitoring On Premise
 
APN Auckland Event 9 - Scrum 101, Unleashing the Theory
APN Auckland Event 9 - Scrum 101, Unleashing the TheoryAPN Auckland Event 9 - Scrum 101, Unleashing the Theory
APN Auckland Event 9 - Scrum 101, Unleashing the Theory
 
Mulesoftmeetup Thiruvanathapuram #4
Mulesoftmeetup Thiruvanathapuram #4Mulesoftmeetup Thiruvanathapuram #4
Mulesoftmeetup Thiruvanathapuram #4
 
Securityinfosearch introduction
Securityinfosearch introductionSecurityinfosearch introduction
Securityinfosearch introduction
 
How to Build More Secure Service Brokers
How to Build More Secure Service BrokersHow to Build More Secure Service Brokers
How to Build More Secure Service Brokers
 
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015
 

Dernier

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Dernier (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Security Misconfiguration (OWASP Top 10 - 2013 - A5)

  • 1. Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Security Misconfiguration Version: 1.0 Date: 2016.07.28 Author: P. Morimoto Responsible: P. Morimoto Confidentiality Class: Public
  • 2. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Vienna (HQ) | AT Wiener Neustadt | AT Vilnius | LT Berlin| DE Montreal | CA Singapore | SG Moscow | RU Zurich | CH SEC Consult Offices SEC Consult Clients Bangkok | TH SEC Consult – Who we are Found in 2002 70+ Security Experts 400+ Security Audits per year Globally operating SEC Consult Vulnerability Lab Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 3. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Advisor for information security Expert for the implementation of security processes and policies (ISO 27001, BS 25999, GSHB) Leading company for technical security audits Specialist for web application security according to ONR 17700 Independent of product manufacturers Our customers are public authorities, financial institutions and insurance companies in Central Europe Sectoral orientation (defence, public, finance, industry) SEC Consult – Who we are 3 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 4. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 4 ISO/IEC 27001 Certificate entire company within certification scope certified since 16.01.2008 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 5. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 5 SEC Consult Vulnerability Lab European leading research lab for the identification of vulnerabilities and the analysis of new technologies, products and applications (security advisories) Integral part of the education and the further training of the security experts at SEC Consult Early information of our customers due to SEC Consult security alerts Support of well-known manufacturers to enhance the security of their products Companies and organisations SEC Consult has released security advisories for (excerpt). For details see: http://www.sec-consult.com/72.html Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 6. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 6 Who Am I ? (Professional) Pichaya Morimoto IT Security Consultant Certifications: • GIAC Web Application Penetration Tester (GWAPT) • Certified Ethical Hacker (CEH) Published Security Advisories: • 2014 - Privilege Escalation in Snort pfSense Package - Wordpress TimThumb 2.8.13 WebShot RCE - HybridAuth install.php PHP RCE • 2015 - PHP MoAdmin 1.1.2 RCE - Schedule Facebook Posts 1.5.6 SQL Injection - Lime Survey Multiple Critical Vulnerabilities • 2016 - Yeager CMS Multiple Critical Vulnerabilities - ASUS DSL-N55U router Multiple Vulnerabilities Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 7. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 7 Who Am I ? (Personal) Administrator of สอนแฮกเว็บแบบแมว ๆ CTF Player of Pwnladin Team Co-Moderator of 2600 Thailand Group Security Addict http://thehackernews.com/2014/06/zero-day-timthumb-webshot-vulnerability.html Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 8. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 8 Who Am I ? (Personal) • bug bounties • responsible disclosures Metasploit modules: • exploit/multi/http/phpmoadmin_exec • exploit/unix/webapp/hybridauth_install _php_exec • auxiliary/admin/http/limesurvey_file_ download and a lot more private exploit research and developments : ) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 9. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 9 Bug Bounty Hunter Wannabe To Be Announced… Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 10. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 10 OWASP Thailand Chapter OWASP Thailand Meeting 3/2014 Topic: SQL Injection 101 : It is not just about ' or '1'='1 OWASP Thailand Meeting 5/2015 Topic: SQLi + Secure Coding with Hands-on Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 11. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 11 OWASP Top 10 - 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 12. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 12 A5 ? Source: http://www.yi-ren.net/pics/2008/080816-CUT/DSCF1787.jpg Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 13. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 13 A5 - Security Misconfiguration Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc. Source: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 14. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 14 A5 - Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. Source: https://www.owasp.org/index.php/Top_10_2013-Top_10 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 15. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 15 OWASP Top 10 – 2010 / 2013 Source: https://www.owasp.org/index.php/Top_10_2013-Release_Notes Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 16. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 16 Content Overview • Information disclosures • Directory listing • Stack traces or debug mode • Outdated or unpatched software • Default credential • Unnecessary features • Unprotected resources • Missing security headers / cookie flags • Overly permissive policies • CNAME record and unclaimed S3 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 17. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 17 Information Disclosure - 1 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 18. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 18 Nginx HTTP Server 1.3.9-1.4.0 Stack Buffer Overflow Source: https://www.exploit-db.com/exploits/25775/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 19. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 19 PHP < 5.3.4 NULL Byte Injection in Paths Source: http://php.net/releases/5_3_4.php Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 20. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 20 Information Disclosure - 2 BIGipServerRSSO? Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public Cookie is a hacker’s friend.
  • 21. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 21 Fingerprint Web Application Framework (OTG-INFO-008) How to Test - HTTP headers - Cookies - HTML source code - Specific files and folders Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public Source: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
  • 22. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 22 Django Fingerprint by Anti-CSRF errors (1/3) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 23. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 23 Django Fingerprint by Anti-CSRF errors (2/3) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 24. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 24 Django Fingerprint by Anti-CSRF errors (3/3) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 25. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 25 Directory Listing Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 26. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 26 Directory Listing – Special Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 27. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 27 HTTP Verb Tampering (OTG-INPVAL-003) Source: https://www.owasp.org/index.php?title=Testing_for_HTTP_Verb_Tampering_(OTG-INPVAL-003) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 28. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 28 Stack Traces / Debug Mode Source: https://hackerone.com/reports/128853 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 29. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 29 Stack Trace with Partial Source Code Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 30. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 30 Stack Trace with Database Password [2002] SQLSTATE[HY000] [2002] No such file or directory #0 /usr/share/php/Doctrine/DBAL/Driver/PDOConnection.php(40): PDO->__construct('mysql:host=loca...', 'owncloud', 'database password...', Array) #1 /usr/share/php/Doctrine/DBAL/Driver/PDOMySql/Driver.php(41): DoctrineDBALDriverPDOConnection->__construct('mysql:host=loca...', 'owncloud', 'database password...', Array) #2 /usr/share/php/Doctrine/DBAL/Connection.php(356): DoctrineDBALDriverPDOMySqlDriver->connect(Array, 'owncloud', 'database password...', Array) #3 /usr/share/php/Doctrine/DBAL/Connection.php(680): DoctrineDBALConnection->connect() #4 /usr/share/owncloud/lib/private/db/connection.php(107): DoctrineDBALConnection->executeQuery ('SELECT `configv...', Array, Array, NULL)#5 /usr/share/owncloud/lib/private/appconfig.php(259): OCDBConnection->executeQuery('SELECT `configv...', Array)#6 /usr/share/owncloud/lib/private/app.php(184): OCAppConfig->getValues(false, 'enabled')#7 /usr/share/owncloud/lib/private/app.php(69): OC_App::getEnabledApps()#8 /usr/share/owncloud/lib/base.php(515): OC_App::loadApps(Array) #9 /usr/share/owncloud/lib/base.php(1012): OC::init() #10 /usr/share/owncloud/index.php(26): require_once('/usr/share/ownc...')#11 {main} Source: https://github.com/owncloud/core/issues/11325 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 31. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 31 Outdated Software / Missing Security Patches - http://seclists.org/fulldisclosure/ - https://cve.mitre.org/cve/cve.html - https://www.exploit-db.com/ - … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 32. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 32 Default Passwords / Default Accounts admin:password admin:admin admin:qwerty admin:12345 admin:123456 … Source: http://www.4gltemall.com/blog/wp-content/uploads/2013/10/Back-stick-of-HUAWEI-B593u-12.jpg Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 33. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 33 Default Passwords / Default Accounts Source: https://doc.pfsense.org/index.php/Installing_pfSense#pfSense_Default_Configuration Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 34. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 34 Default Passwords / Default Accounts Source: http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/TypesofSplunklicenses Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 35. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 35 Default Secret Token Source: http://exfiltrated.com/research-Instagram-RCE.php Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 36. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 36 Default Encryption Key Source: http://www.slideshare.net/pichayaa/from-web-vulnerability-to-exploit-in-15-minutes Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 37. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 37 Unnecessary Features – Apache’s mod_info Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 38. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 38 Unnecessary Features – PHP INFO - PHP version - document_root - $PATH - Environment variables - disable_functions - allow_url_fopen - allow_url_include - open_basedir - … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 39. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 39 Unnecessary Features – robots.txt, sitemap.xml http://example.com/robots.txt User-agent: * Disallow: /Admin Disallow: /uploads Disallow: /backup Disallow: /~jbloggs Disallow: /include Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public Source: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
  • 40. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 40 Web Server – Missing Security Headers HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 41. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 41 Strict-Transport-Security HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To protect websites against protocol downgrade attacks and cookie hijacking Values: Value Description max-age=SECONDS The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. includeSubDomains If this optional parameter is specified, this rule applies to all of the site's subdomains as well. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 42. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 42 X-Frame-Options HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To improve the protection of web applications against Clickjacking Values: Value Description deny No rendering within a frame. sameorigin No rendering if origin mismatch. allow-from: DOMAIN Allows rendering if framed by frame loaded from DOMAIN. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 43. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 43 X-XSS-Protection HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To enables the Cross-site scripting (XSS) filter in your browser. Values: Value Description 0 Filter disabled. 1 Filter enabled. If a XSS is detected, in order to stop the attack, the browser will sanitize the page. 1; mode=block Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page. 1; report=http://[YOURDOMAIN]/your_re port_URI Filter enabled. The browser will sanitize the page and report the violation. This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 44. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 44 X-Content-Type-Options HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To prevent MSIE and Chrome from interpreting files as something else than declared by the content type in the HTTP headers. Values: Value Description nosniff will prevent Internet Explorer and Chrome from MIME- sniffing a response away from the declared content-type. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 45. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 45 Public Key Pinning Extension for HTTP (HPKP) HTTP/1.1 200 OK public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff Pragma: no-cache content-security-policy: default-src * data: blob:;script-src *.facebook.com […] Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com Vary: Accept-Encoding Content-Encoding: br Content-Type: text/html X-FB-Debug: +ggB6Nz/jblNnRf72/[…] Date: Thu, 28 Jul 2016 07:46:49 GMT Connection: close Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. Values: Value Description pin-sha256="<sha256>" The quoted string is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future. max-age=SECONDS The time, in seconds, that the browser should remember that this site is only to be accessed using one of the pinned keys. includeSubDomains If this optional parameter is specified, this rule applies to all of the site's subdomains as well. report-uri="<URL>" If this optional parameter is specified, pin validation failures are reported to the given URL. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 46. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 46 Content-Security-Policy HTTP/1.1 200 OK content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data:;style-src * 'unsafe-inline' data:;connect-src *.facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: chrome-extension://boadgeojelhgndaghljhdicfkmllpafd; Strict-Transport-Security: max-age=15552000; preload P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" X-Frame-Options: DENY X-XSS-Protection: 0 X-Content-Type-Options: nosniff public-key-pins-report-only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […] Pragma: no-cache Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com […] Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project Goal: To prevents a wide range of (client side) attacks, including Cross-site scripting and other cross-site injections. Values: [.. See in source link ..] Example: Content-Security-Policy: script-src 'self' Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 47. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 47 Testing for cookies attributes (OTG-SESS-002) Source: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002) • Secure Attribute • HttpOnly Attribute • Domain Attribute • Path Attribute • Expires Attribute Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 48. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 48 Unprotected files and directories - http://example.com/backup.zip - http://example.com/dump.sql - http://example.com/password.txt - http://example.com/wp-config.php.txt - http://example.com/db-config.txt … Source: https://hackerone.com/reports/33083 … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 49. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 49 Unprotected Administrator Pages http://example.com/admin/ http://example.com/backend/ http://example.com/backoffice/ … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 50. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 50 Publicly accessible Tomcat Manager • HTTP Basic Auth • Brute force-able http://example.com:8443/manager/ http://example.com:8080/manager/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 51. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 51 Unprotected Code Repository (Git, SVN) Source: https://hackerone.com/reports/72243 http://example.com/.git/ http://example.com/.svn/entries … Exploit: $ svn checkout <URL> $ git clone <URL> or https://github.com/kost/dvcs-ripper Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 52. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 52 Unprotected Docker Repository $ docker pull <URL> Source: https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 53. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 53 Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004) Source: https://www.owasp.org/index.php/Review_Old,_Backup_and_ Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004) Programmers’ comments: <!-- <A HREF="uploadfile.jsp">Upload a document to the server</A> --> <!-- Link removed while bugs in uploadfile.jsp are fixed --> JavaScript may contain page links that are only rendered within the user’s GUI under certain circumstances: var adminUser=false; if (adminUser) menu.add (new menuItem ("Maintain users", "/admin/useradmin.jsp")); HTML pages may contain FORMs that have been hidden by disabling the SUBMIT element: <FORM action="forgotPassword.jsp" method="post"> <INPUT type="hidden" name="userID" value="123"> <!-- <INPUT type="submit" value="Forgot Password"> --> </FORM> Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 54. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 54 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) Source: https://www.ssllabs.com/ssltest/analyze.html?d=www.gmail.com&s=216.58.194.165&latest Online - https://www.ssllabs.com/ Offline - OpenSSL toolkit - Nessus, Nmap scripts - https://github.com /drwetter/testssl.sh/ - … Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 55. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 55 Overly permissive Adobe's crossdomain.xml policy (OTG-CONFIG-008) Bad: <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/> </cross-domain-policy> Source: https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_(OTG-CONFIG-008) Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 56. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 56 Overly permissive Adobe's crossdomain.xml policy (OTG-CONFIG-008) Good: <cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas /PolicyFile.xsd"> <allow-access-from domain="twitter.com"/> <allow-access-from domain="api.twitter.com"/> <allow-access-from domain="search.twitter.com"/> <allow-access-from domain="static.twitter.com"/> <site-control permitted-cross-domain-policies="master-only"/> <allow-http-request-headers- from domain="*.twitter.com" headers="*" secure="true"/> </cross-domain-policy> Source: https://twitter.com/crossdomain.xml Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 57. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 57 Overly permissive CORS policy Source: https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing, Bad: HTTP/1.1 200 OK [...] Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true [...] Good: HTTP/1.1 200 OK […] Access-Control-Allow-Origin: https://www.facebook.com Access-Control-Allow-Credentials: true […] Please note that it is only acceptable to do this if the origin has no sensitive content. Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 58. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 58 Windows Short (8.3) filename expansion Source: http://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ C:> dir X You can replace: http://example.com/backup-082119f75623eb7abd7bf357698ff66c.sql With: http://example.com/BACKUP~1.SQL Exploit: https://github.com/irsdl/IIS-ShortName-Scanner Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 59. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 59 Mitigate Security Misconfiguration Vulnerabilities 1. RTFM : Read the Fantastic Manual 2. Do regular configuration audit 3. Deploy or harden configurations by using automated methods (scripts, ansible, puppet, chef etc.) 4. Implement patch and configuration management procedures Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 60. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 60 DNS CNAME to subdomain take over ? Source: https://hackerone.com/reports/149679 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 61. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 61 Customizing Amazon S3 URLs with CNAMEs “ Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/. The bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same as http://images.johnsmith.net.s3.amazonaws.com/filename if a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com. “ Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html, https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/ Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 62. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 62 DNS CNAME + unclaimed Amazon S3 bucket Source: https://hackerone.com/reports/121461, https://hackerone.com/reports/125118 , https://hackerone.com/reports/32825, https://hackerone.com/reports/109699 Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 63. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved For any further questions contact your SEC Consult Expert. Pichaya Morimoto p.morimoto@sec-consult.com SEC Consult (Thailand) Co., Ltd. 29/1 Piyaplace Langsuan Building, 16B Soi Langsuan, Lumpini, Pathumwan Bangkok 10330, Thailand www.sec-consult.com Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
  • 64. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved 64 Contact GERMANY SEC Consult Unternehmensberatung Deutschland GmbH Bockenheimer Landstraße 17-19 60325 Frankfurt / Main Tel +49 69 175 373 43 | Fax +49 69 175 373 44 Email office-frankfurt@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Mooslackengasse 17 1190 Vienna Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15 Email office@sec-consult.com LITHUANIA UAB Critical Security, a SEC Consult company Sauletekio al. 15-311 10224 Vilnius Tel +370 5 2195535 Email office-vilnius@sec-consult.com RUSSIA CJCS Security Monitor 5th Donskoy proyezd, 15, Bldg. 6 119334, Moscow Tel +7 495 662 1414 Email info@securitymonitor.ru SINGAPORE SEC Consult Singapore PTE. LTD 4 Battery Road #25-01 Bank of China Building Singapore (049908) Email office-singapore@sec-consult.com CANADA i-SEC Consult Inc. 100 René-Lévesque West, Suite 2500 Montréal (Quebec) H3B 5C9 Email office-montreal@sec-consult.com AUSTRIA SEC Consult Unternehmensberatung GmbH Komarigasse 14/1 2700 Wiener Neustadt Tel +43 1 890 30 43 0 Email office@sec-consult.com THAILAND SEC Consult (Thailand) Co., Ltd. 29/1 Piyaplace Langsuan Building 16th Floor, 16B Soi Langsuan, Ploen Chit Road Lumpini, Patumwan | Bangkok 10330 Tel +66 02 041 1146 Email office-bangkok@sec-consult.com www.sec-consult.com Title: Security Misconfiguration | Responsible: P. Morimoto Version / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public