Security Misconfiguration (OWASP Top 10 - 2013 - A5)
64
Security Misconfiguration Version: 1.0 Date: 2016.07.28 Author: P. Morimoto Responsible: P. Morimoto Confidentiality Class: Public
-
Upload
pichaya-morimoto -
Category
Technology
-
view
1.403 -
download
4
Transcript of Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Version: [--VX.X--]Date: [--YYYY-MM-DD--]Author: [--Author--]Responsible: [--Responsible--]Confidentiality Class: [--Confidentiality Class--]
Version: [--VX.X--]Date: [--YYYY-MM-DD--]Author: [--Author--]Responsible: [--Responsible--]Confidentiality Class: [--Confidentiality Class--]
Security Misconfiguration
Version: 1.0Date: 2016.07.28Author: P. MorimotoResponsible: P. MorimotoConfidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
Vienna (HQ) | ATWiener Neustadt | AT
Vilnius | LTBerlin| DE
Montreal | CA
Singapore | SG
Moscow | RU
Zurich | CH
SEC Consult OfficesSEC Consult Clients
Bangkok | TH
SEC Consult – Who we are
Found in 200270+ Security Experts400+ Security Audits per yearGlobally operating SEC ConsultVulnerability Lab
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
Advisor for information security
Expert for the implementation of security processes and policies(ISO 27001, BS 25999, GSHB)
Leading company for technical security audits
Specialist for web application security according to ONR 17700
Independent of product manufacturers
Our customers are public authorities, financial institutions and insurance companies in Central Europe
Sectoral orientation (defence, public, finance, industry)
SEC Consult – Who we are
3Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
4
ISO/IEC 27001 Certificate
entire company within certification scope
certified since 16.01.2008
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
5
SEC Consult Vulnerability Lab
European leading research lab for the identification of vulnerabilities and the analysis of new technologies, products and applications (security advisories)
Integral part of the education and the further training of the security experts at SEC Consult
Early information of our customers due to SEC Consult security alerts
Support of well-known manufacturers to enhance the security of their products
Companies and organisations SEC Consult has released security advisories for (excerpt). For details see: http://www.sec-consult.com/72.html
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
6
Who Am I ? (Professional)
Pichaya MorimotoIT Security Consultant
Certifications:• GIAC Web Application
Penetration Tester (GWAPT)• Certified Ethical Hacker (CEH)
Published Security Advisories:• 2014- Privilege Escalation in Snort pfSense Package- Wordpress TimThumb 2.8.13 WebShot RCE- HybridAuth install.php PHP RCE• 2015- PHP MoAdmin 1.1.2 RCE- Schedule Facebook Posts 1.5.6 SQL Injection- Lime Survey Multiple Critical Vulnerabilities• 2016- Yeager CMS Multiple Critical Vulnerabilities- ASUS DSL-N55U router Multiple Vulnerabilities
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
7
Who Am I ? (Personal)
Administrator of สอนแฮกเว็บแบบแมว ๆ CTF Player of Pwnladin Team
Co-Moderator of 2600 Thailand Group Security Addicthttp://thehackernews.com/2014/06/zero-day-timthumb-webshot-vulnerability.html
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
8
Who Am I ? (Personal)
• bug bounties• responsible disclosures
Metasploit modules:
• exploit/multi/http/phpmoadmin_exec• exploit/unix/webapp/hybridauth_install
_php_exec• auxiliary/admin/http/limesurvey_file_
download
and a lot more private exploit research and developments : )
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
9
Bug Bounty Hunter Wannabe
To Be Announced…
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
10
OWASP Thailand Chapter
OWASP Thailand Meeting 3/2014 Topic: SQL Injection 101 : It is not just about ' or '1'='1
OWASP Thailand Meeting 5/2015Topic: SQLi + Secure Coding with Hands-on
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
11
OWASP Top 10 - 2013
A1-InjectionA2-Broken Authentication and Session ManagementA3-Cross-Site Scripting (XSS)A4-Insecure Direct Object References
A5-Security MisconfigurationA6-Sensitive Data ExposureA7-Missing Function Level Access ControlA8-Cross-Site Request Forgery (CSRF)A9-Using Components with Known VulnerabilitiesA10-Unvalidated Redirects and Forwards
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
12
A5 ?
Source: http://www.yi-ren.net/pics/2008/080816-CUT/DSCF1787.jpg
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
13
A5 - Security Misconfiguration
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work togetherto ensure that the entire stack is configured properly.
Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Source: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
14
A5 - Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform.
Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
15
OWASP Top 10 – 2010 / 2013
Source: https://www.owasp.org/index.php/Top_10_2013-Release_Notes
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
16
Content Overview
• Information disclosures• Directory listing• Stack traces or debug mode• Outdated or unpatched software• Default credential • Unnecessary features• Unprotected resources• Missing security headers / cookie flags• Overly permissive policies• CNAME record and unclaimed S3
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
17
Information Disclosure - 1
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
18
Nginx HTTP Server 1.3.9-1.4.0 Stack Buffer Overflow
Source: https://www.exploit-db.com/exploits/25775/
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
19
PHP < 5.3.4 NULL Byte Injection in Paths
Source: http://php.net/releases/5_3_4.php
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
20
Information Disclosure - 2
BIGipServerRSSO?
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
Cookie is a hacker’s friend.
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
21
Fingerprint Web Application Framework (OTG-INFO-008)
How to Test- HTTP headers- Cookies- HTML source code- Specific files and folders
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
Source: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
22
Django Fingerprint by Anti-CSRF errors (1/3)
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
23
Django Fingerprint by Anti-CSRF errors (2/3)
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
24
Django Fingerprint by Anti-CSRF errors (3/3)
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
25
Directory Listing
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
26
Directory Listing – Special
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
27
HTTP Verb Tampering (OTG-INPVAL-003)
Source: https://www.owasp.org/index.php?title=Testing_for_HTTP_Verb_Tampering_(OTG-INPVAL-003)
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
28
Stack Traces / Debug Mode
Source: https://hackerone.com/reports/128853
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
29
Stack Trace with Partial Source Code
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
30
Stack Trace with Database Password
[2002] SQLSTATE[HY000] [2002] No such file or directory#0 /usr/share/php/Doctrine/DBAL/Driver/PDOConnection.php(40): PDO->__construct('mysql:host=loca...', 'owncloud', 'database password...', Array)#1 /usr/share/php/Doctrine/DBAL/Driver/PDOMySql/Driver.php(41): Doctrine\DBAL\Driver\PDOConnection->__construct('mysql:host=loca...', 'owncloud', 'database password...', Array)#2 /usr/share/php/Doctrine/DBAL/Connection.php(356): Doctrine\DBAL\Driver\PDOMySql\Driver->connect(Array, 'owncloud', 'database password...', Array)#3 /usr/share/php/Doctrine/DBAL/Connection.php(680): Doctrine\DBAL\Connection->connect()#4 /usr/share/owncloud/lib/private/db/connection.php(107): Doctrine\DBAL\Connection->executeQuery('SELECT `configv...', Array, Array, NULL)#5 /usr/share/owncloud/lib/private/appconfig.php(259): OC\DB\Connection->executeQuery('SELECT `configv...', Array)#6 /usr/share/owncloud/lib/private/app.php(184): OC\AppConfig->getValues(false, 'enabled')#7 /usr/share/owncloud/lib/private/app.php(69): OC_App::getEnabledApps()#8 /usr/share/owncloud/lib/base.php(515): OC_App::loadApps(Array)#9 /usr/share/owncloud/lib/base.php(1012): OC::init()#10 /usr/share/owncloud/index.php(26): require_once('/usr/share/ownc...')#11 {main}
Source: https://github.com/owncloud/core/issues/11325
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
31
Outdated Software / Missing Security Patches
- http://seclists.org/fulldisclosure/- https://cve.mitre.org/cve/cve.html- https://www.exploit-db.com/- …
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
32
Default Passwords / Default Accounts
admin:passwordadmin:adminadmin:qwertyadmin:12345admin:123456…
Source: http://www.4gltemall.com/blog/wp-content/uploads/2013/10/Back-stick-of-HUAWEI-B593u-12.jpg
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
33
Default Passwords / Default Accounts
Source: https://doc.pfsense.org/index.php/Installing_pfSense#pfSense_Default_Configuration
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
34
Default Passwords / Default Accounts
Source: http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/TypesofSplunklicenses
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
35
Default Secret Token
Source: http://exfiltrated.com/research-Instagram-RCE.php
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
36
Default Encryption Key
Source: http://www.slideshare.net/pichayaa/from-web-vulnerability-to-exploit-in-15-minutes
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
37
Unnecessary Features – Apache’s mod_info
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
38
Unnecessary Features – PHP INFO
- PHP version- document_root- $PATH- Environment
variables- disable_functions- allow_url_fopen- allow_url_include- open_basedir- …
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
39
Unnecessary Features – robots.txt, sitemap.xml
http://example.com/robots.txt
User-agent: * Disallow: /Admin Disallow: /uploads Disallow: /backup Disallow: /~jbloggsDisallow: /include
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
Source: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
40
Web Server – Missing Security HeadersHTTP/1.1 200 OKStrict-Transport-Security: max-age=15552000; preloadP3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"X-Frame-Options: DENYX-XSS-Protection: 0X-Content-Type-Options: nosniffpublic-key-pins-report-only: max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […]
Pragma: no-cachecontent-security-policy: default-src * data: blob:;script-src *.facebook.com[…]Cache-Control: private, no-cache, no-store, must-revalidateExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.comVary: Accept-EncodingContent-Encoding: brContent-Type: text/htmlX-FB-Debug: +ggB6Nz/jblNnRf72/[…]Date: Thu, 28 Jul 2016 07:46:49 GMTConnection: close
Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
41
Strict-Transport-SecurityHTTP/1.1 200 OKStrict-Transport-Security: max-age=15552000; preloadP3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"X-Frame-Options: DENYX-XSS-Protection: 0X-Content-Type-Options: nosniffpublic-key-pins-report-only: max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […]
Pragma: no-cachecontent-security-policy: default-src * data: blob:;script-src *.facebook.com[…]Cache-Control: private, no-cache, no-store, must-revalidateExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.comVary: Accept-EncodingContent-Encoding: brContent-Type: text/htmlX-FB-Debug: +ggB6Nz/jblNnRf72/[…]Date: Thu, 28 Jul 2016 07:46:49 GMTConnection: close
Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Goal:To protect websites against protocol downgrade attacks and cookie hijacking
Values:
Value Description
max-age=SECONDSThe time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
includeSubDomainsIf this optional parameter is specified, this rule applies to all of the site's subdomains as well.
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
42
X-Frame-OptionsHTTP/1.1 200 OKStrict-Transport-Security: max-age=15552000; preloadP3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"X-Frame-Options: DENYX-XSS-Protection: 0X-Content-Type-Options: nosniffpublic-key-pins-report-only: max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […]
Pragma: no-cachecontent-security-policy: default-src * data: blob:;script-src *.facebook.com[…]Cache-Control: private, no-cache, no-store, must-revalidateExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.comVary: Accept-EncodingContent-Encoding: brContent-Type: text/htmlX-FB-Debug: +ggB6Nz/jblNnRf72/[…]Date: Thu, 28 Jul 2016 07:46:49 GMTConnection: close
Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Goal:To improve the protection of web applications against Clickjacking
Values:
Value Description
deny No rendering within a frame.
sameorigin No rendering if origin mismatch.
allow-from: DOMAIN Allows rendering if framed by frame loaded from DOMAIN.
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
43
X-XSS-ProtectionHTTP/1.1 200 OKStrict-Transport-Security: max-age=15552000; preloadP3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"X-Frame-Options: DENYX-XSS-Protection: 0X-Content-Type-Options: nosniffpublic-key-pins-report-only: max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […]
Pragma: no-cachecontent-security-policy: default-src * data: blob:;script-src *.facebook.com[…]Cache-Control: private, no-cache, no-store, must-revalidateExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.comVary: Accept-EncodingContent-Encoding: brContent-Type: text/htmlX-FB-Debug: +ggB6Nz/jblNnRf72/[…]Date: Thu, 28 Jul 2016 07:46:49 GMTConnection: close
Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Goal:To enables the Cross-site scripting (XSS) filter in your browser.
Values:
Value Description
0 Filter disabled.
1Filter enabled. If a XSS is detected, in order to stop the attack, the browser will sanitize the page.
1; mode=block
Filter enabled. Rather than sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page.
1; report=http://[YOURDOMAIN]/your_report_URI
Filter enabled. The browser will sanitize the page and report the violation. This is a Chromium function utilizing CSP violation reports to send details to a URI of your choice.
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
44
X-Content-Type-OptionsHTTP/1.1 200 OKStrict-Transport-Security: max-age=15552000; preloadP3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"X-Frame-Options: DENYX-XSS-Protection: 0X-Content-Type-Options: nosniffpublic-key-pins-report-only: max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […]
Pragma: no-cachecontent-security-policy: default-src * data: blob:;script-src *.facebook.com[…]Cache-Control: private, no-cache, no-store, must-revalidateExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.comVary: Accept-EncodingContent-Encoding: brContent-Type: text/htmlX-FB-Debug: +ggB6Nz/jblNnRf72/[…]Date: Thu, 28 Jul 2016 07:46:49 GMTConnection: close
Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Goal:To prevent MSIE and Chrome from interpreting files as something else than declared by the content type in the HTTP headers.
Values:
Value Description
nosniff
will prevent Internet Explorer and Chrome from MIME-sniffing a response away from the declared content-type.
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
45
Public Key Pinning Extension for HTTP (HPKP)HTTP/1.1 200 OKpublic-key-pins-report-only: max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […]
Strict-Transport-Security: max-age=15552000; preloadP3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"X-Frame-Options: DENYX-XSS-Protection: 0X-Content-Type-Options: nosniffPragma: no-cachecontent-security-policy: default-src * data: blob:;script-src *.facebook.com[…]Cache-Control: private, no-cache, no-store, must-revalidateExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.comVary: Accept-EncodingContent-Encoding: brContent-Type: text/htmlX-FB-Debug: +ggB6Nz/jblNnRf72/[…]Date: Thu, 28 Jul 2016 07:46:49 GMTConnection: close
Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Goal:To resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
Values:Value Description
pin-sha256="<sha256>"
The quoted string is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future.
max-age=SECONDSThe time, in seconds, that the browser should remember that this site is only to be accessed using one of the pinned keys.
includeSubDomainsIf this optional parameter is specified, this rule applies to all of the site's subdomains as well.
report-uri="<URL>"If this optional parameter is specified, pin validation failures are reported to the given URL.
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
46
Content-Security-PolicyHTTP/1.1 200 OKcontent-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net*.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net*.atlassolutions.com blob: data:;style-src * 'unsafe-inline' data:;connect-src *.facebook.com*.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: chrome-extension://boadgeojelhgndaghljhdicfkmllpafd;Strict-Transport-Security: max-age=15552000; preloadP3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"X-Frame-Options: DENYX-XSS-Protection: 0X-Content-Type-Options: nosniffpublic-key-pins-report-only: max-age=500;
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; […]
Pragma: no-cacheCache-Control: private, no-cache, no-store, must-revalidateExpires: Sat, 01 Jan 2000 00:00:00 GMTSet-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=-1469692008; path=/; domain=.facebook.com[…]
Source: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Goal:To prevents a wide range of (client side) attacks, including Cross-site scripting and other cross-site injections.
Values:
[.. See in source link ..]
Example: Content-Security-Policy: script-src 'self'
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
47
Testing for cookies attributes (OTG-SESS-002)
Source: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)
• Secure Attribute• HttpOnly Attribute• Domain Attribute• Path Attribute• Expires Attribute
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
48
Unprotected files and directories
- http://example.com/backup.zip- http://example.com/dump.sql- http://example.com/password.txt- http://example.com/wp-config.php.txt- http://example.com/db-config.txt…
Source: https://hackerone.com/reports/33083
…
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
49
Unprotected Administrator Pages
http://example.com/admin/http://example.com/backend/http://example.com/backoffice/…
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
50
Publicly accessible Tomcat Manager
• HTTP Basic Auth• Brute force-able
http://example.com:8443/manager/http://example.com:8080/manager/
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
51
Unprotected Code Repository (Git, SVN)
Source: https://hackerone.com/reports/72243
http://example.com/.git/http://example.com/.svn/entries…
Exploit:$ svn checkout <URL>$ git clone <URL>or https://github.com/kost/dvcs-ripper
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
52
Unprotected Docker Repository
$ docker pull <URL>
Source: https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
53
Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004)
Source: https://www.owasp.org/index.php/Review_Old,_Backup_and_Unreferenced_Files_for_Sensitive_Information_(OTG-CONFIG-004)
Programmers’ comments:<!-- <A HREF="uploadfile.jsp">Upload a document to the server</A> --> <!-- Link removed while bugs in uploadfile.jsp are fixed -->
JavaScript may contain page links that are only rendered within the user’s GUI under certain circumstances:var adminUser=false; if (adminUser) menu.add (new menuItem ("Maintain users", "/admin/useradmin.jsp"));
HTML pages may contain FORMs that have been hidden by disabling the SUBMIT element:
<FORM action="forgotPassword.jsp" method="post"> <INPUT type="hidden" name="userID" value="123"> <!-- <INPUT type="submit" value="Forgot Password"> --> </FORM>
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
54
Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)
Source: https://www.ssllabs.com/ssltest/analyze.html?d=www.gmail.com&s=216.58.194.165&latest
Online- https://www.ssllabs.com/
Offline- OpenSSL toolkit- Nessus, Nmap scripts- https://github.com
/drwetter/testssl.sh/- …
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
55
Overly permissive Adobe's crossdomain.xml policy (OTG-CONFIG-008)
Bad:<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" secure="false"/> <allow-http-request-headers-from domain="*" headers="*" secure="false"/> </cross-domain-policy>
Source: https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_(OTG-CONFIG-008)
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
56
Overly permissive Adobe's crossdomain.xml policy (OTG-CONFIG-008)
Good:<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"><allow-access-from domain="twitter.com"/><allow-access-from domain="api.twitter.com"/><allow-access-from domain="search.twitter.com"/><allow-access-from domain="static.twitter.com"/><site-control permitted-cross-domain-policies="master-only"/><allow-http-request-headers-from domain="*.twitter.com" headers="*" secure="true"/></cross-domain-policy>
Source: https://twitter.com/crossdomain.xml
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
57
Overly permissive CORS policy
Source: https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing,
Bad:HTTP/1.1 200 OK[...]Access-Control-Allow-Origin: *Access-Control-Allow-Credentials: true[...]
Good:HTTP/1.1 200 OK[…]Access-Control-Allow-Origin: https://www.facebook.comAccess-Control-Allow-Credentials: true[…]
Please note that it is only acceptable to do this if the origin has no sensitive content.
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
58
Windows Short (8.3) filename expansion
Source: http://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
C:\> dir \X
You can replace: http://example.com/backup-082119f75623eb7abd7bf357698ff66c.sqlWith: http://example.com/BACKUP~1.SQL
Exploit:
https://github.com/irsdl/IIS-ShortName-Scanner
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
59
Mitigate Security Misconfiguration Vulnerabilities
1. RTFM : Read the Fantastic Manual2. Do regular configuration audit3. Deploy or harden configurations by
using automated methods (scripts, ansible, puppet, chef etc.)
4. Implement patch and configuration management procedures
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
60
DNS CNAME to subdomain take over ?
Source: https://hackerone.com/reports/149679
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
61
Customizing Amazon S3 URLs with CNAMEs
“ Depending on your needs, you might not want "s3.amazonaws.com" to appear on your website or service. For example, if you host your website images on Amazon S3, you might prefer http://images.johnsmith.net/ instead of http://johnsmith-images.s3.amazonaws.com/.The bucket name must be the same as the CNAME. So http://images.johnsmith.net/filename would be the same ashttp://images.johnsmith.net.s3.amazonaws.com/filenameif a CNAME were created to map images.johnsmith.net to images.johnsmith.net.s3.amazonaws.com. “
Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html, https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
62
DNS CNAME + unclaimed Amazon S3 bucket
Source: https://hackerone.com/reports/121461, https://hackerone.com/reports/125118, https://hackerone.com/reports/32825, https://hackerone.com/reports/109699
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
For any further questions contact your SEC Consult Expert.
Pichaya [email protected]
SEC Consult (Thailand) Co., Ltd.29/1 Piyaplace Langsuan Building, 16BSoi Langsuan, Lumpini, PathumwanBangkok 10330, Thailand
www.sec-consult.com
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbHAll rights reserved
Title: [--Title--] | Responsible: [--Responsible--]Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2014 SEC Consult Unternehmensberatung GmbHAll rights reserved
64
Contact
GERMANYSEC Consult Unternehmensberatung Deutschland GmbHBockenheimer Landstraße 17-1960325 Frankfurt / Main
Tel +49 69 175 373 43 | Fax +49 69 175 373 44Email [email protected]
AUSTRIASEC Consult Unternehmensberatung GmbHMooslackengasse 171190 Vienna
Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15Email [email protected]
LITHUANIAUAB Critical Security, a SEC Consult companySauletekio al. 15-31110224 Vilnius
Tel +370 5 2195535Email [email protected]
RUSSIACJCS Security Monitor5th Donskoy proyezd, 15, Bldg. 6119334, Moscow
Tel +7 495 662 1414Email [email protected]
SINGAPORESEC Consult Singapore PTE. LTD4 Battery Road#25-01 Bank of China BuildingSingapore (049908)
Email [email protected]
CANADAi-SEC Consult Inc.100 René-Lévesque West, Suite 2500Montréal (Quebec) H3B 5C9
Email [email protected]
AUSTRIASEC Consult Unternehmensberatung GmbHKomarigasse 14/12700 Wiener Neustadt
Tel +43 1 890 30 43 0Email [email protected]
THAILANDSEC Consult (Thailand) Co., Ltd.29/1 Piyaplace Langsuan Building 16th Floor, 16BSoi Langsuan, Ploen Chit RoadLumpini, Patumwan | Bangkok 10330
Tel +66 02 041 1146Email [email protected]
www.sec-consult.com
Title: Security Misconfiguration | Responsible: P. MorimotoVersion / Date: 1.0 / 2016.07.28 | Confidentiality Class: Public
