This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m 3
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Threat
AgentsAttack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability EASY Prevalence
COMMONDetectability
EASY
Impact MODERATE
Consider anonymous external attackers as well as users with their own accounts that may attempt to compromise the system. Also consider insiders wanting to disguise their actions.
Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.
The system could be completely compromised without you knowing it. All your data could be stolen or modified slowly over time.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
How attackers do it
Collecting info about the targeted system's stack OS and version number , Web server type (Apache, IIS,
etc.) Web development language. Check their data sources for all known exploits against any part of that stack. There are known vulnerabilities for each level of the stack.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
How we protect our
selves
• Change default user accounts.• Delete unused pages and user accounts.• Turn off unused services .• Disable directory listings if they are not necessary, or
set access controls to deny all requests. • Stay up-to date on patches.• Consider internal attackers as well as external. • Use automated scanners.
o w a s p . o r g / i n d e x . p h p / K h a r t o u m
Conclusions
Safeguarding your website from malicious users and attacks is important, regardless of what type of site you have or how many visitors your site receives.
Security misconfiguration or poorly configured security controls, could allow malicious users to change your website, obtain unauthorized access, compromise files, or perform other unintended actions.
While there is no one-size-fits-all security configuration, you can use these points to develop a plan that works for your situation, I hope that this presentation help you to create such a plan.