A5-Security misconfiguration-OWASP 2013
1 like4,328 views
Security misconfiguration occurs when system administrators, database administrators, and developers leave security holes in the configuration of computer systems. An attacker can access default accounts, unused pages, unpatched flaws, and unprotected files and directories. Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Typical attacks involve finding information about the operating system type and version, libraries, tools, web server type, and web development language in order to exploit vulnerabilities. Organizations can prevent security misconfiguration by updating software, removing default credentials, disabling unused components, conducting security scans, and implementing secure configuration practices.
1 of 10
Downloaded 173 times
Ad
Recommended
Security misconfiguration
Security misconfigurationJiri Danihelka This document discusses security misconfigurations in ASP.NET applications and password management best practices. It provides recommendations for securing ASP.NET configurations including changing default passwords, using different credentials for development and live environments, enabling custom errors, and removing version headers. The document also advises against storing production passwords in code repositories, emails, Confluence, or connection strings due to security risks. It recommends using a password management system instead.
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic This document discusses the topic of security misconfiguration. It begins by defining security misconfiguration as when system administrators, database administrators (DBAs), and developers leave security holes in the configuration of computer systems. It then provides examples of how misconfiguration can occur at different levels of an application stack, such as the platform, web server, and custom code. The document also describes how attackers exploit known misconfigurations and provides recommendations for securing systems, such as changing default passwords, deleting unused accounts and services, keeping software updated, and more.
Security misconfiguration
Security misconfigurationMicho Hayek Security misconfiguration is a major risk due to its prevalence and impact. It occurs when default passwords, debugging settings, or excessive privileges are left unchanged, potentially allowing hackers access. Proper configuration through secure coding practices, access controls, patching, and audits can help safeguard systems and data.
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto Event: OWASP Thailand Meeting 7/2016 (Free Event)
Topic: Security Misconfiguration (OWASP Top 10 2013 – A5)
Date & Time: Thursday, July 28 at 6 PM - 9 PM
Location: Securities and Exchange Commission, Thailand (SEC, a government organization)
16th floor, Room No. 1601
333/3, 333/3 Vibhavadi Rangsit Rd, Chom Phon, Chatuchak, Bangkok 10900
Link Map: https://goo.gl/0akY6d
Agenda
18.00 - 18.30 Registration
18.30 - 18.45 Welcome speech
18.45 - 20.45 Topic: Security Misconfiguration (OWASP Top 10 2013 – A5)
Pichaya Morimoto
IT Security Consultant
SEC Consult (Thailand) Co., Ltd.
20.45 - 21.00 Closing Session
A5: Security Misconfiguration 
A5: Security Misconfiguration Tariq Islam Application misconfiguration attacks exploit weaknesses in web applications caused by configuration mistakes. These mistakes include using default passwords and privileges or revealing too much debugging information. Misconfiguration can have minor effects but can also cause major issues like data loss or full system compromise. It is a common problem caused by factors like human error and complex application interfaces. Proper security practices like regular reviews and testing can help detect and prevent misconfiguration vulnerabilities.
security misconfigurations
security misconfigurationsMegha Sahu The document discusses security misconfiguration as the sixth most dangerous web application vulnerability according to the OWASP Top 10. It defines security misconfiguration as improper configuration settings that can enable attacks. The document outlines how attackers exploit default passwords and privileges, and provides examples of misconfigured systems. It recommends ways to prevent misconfiguration like changing defaults, deleting unnecessary accounts, and keeping systems updated. The document demonstrates how to detect hidden URLs and directory listings using Burp Suite and concludes that misconfiguration poses a high risk if not properly safeguarded against.
Packet filtering using jpcap
Packet filtering using jpcapElanthendral Mariappan This document discusses using JPCAP to capture and filter network packets in Java. It describes obtaining a list of network interfaces, opening an interface for packet capture, capturing packets one-by-one using getPacket(), and setting a filter to only capture certain types of packets like TCP/IPv4. The key aspects are initializing JPCAP, selecting an interface, capturing packets in a loop, and applying filters to focus on relevant traffic.
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
OWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru This document provides an overview of the OWASP Top 10 Risk Rating Methodology. It explains how risks are rated based on four factors: threat agent, attack vector, technical impact, and business impact. Each factor is given a rating of 1-3 (easy to difficult) and these ratings are multiplied together to calculate an overall weighted risk rating. An example of how this methodology would be applied to an SQL injection vulnerability is also provided.
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers This document provides an agenda for a presentation on web application pentesting and using Burp Suite. The presentation will include an overview of Burp Suite, how to get started with it, automated and manual testing techniques, and tips for web hacking. It will cover features of Burp like the proxy, spider, scanner, intruder, repeater, sequencer, and extender. The goal is to help attendees learn the foundation of using Burp Suite for web assessments.
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.
Owasp 
Owasp penetration Tester The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesXavier Kress Les principales failles de sécurité des applications Web actuelles telles que recensées par l'OWASP. Principes, parades et bonnes pratiques de développement.
Ce document, élaboré dans le cadre d'une présentation faite au CNAM, traite de l’importance de la sécurité applicative (les applications Web sont devenues omniprésentes, objectifs et conséquences d’une attaque, les hackers et les kits d’attaque, l'OWASP et les kits de défense), des principales failles de sécurité applicatives (principe et exemples de fonctionnement, objectifs / conséquences, parades) et des bonnes pratiques permettant de sécuriser un parc applicatif (sensibiliser les développeurs, effectuer des tests d’intrusion et de la revue de code, intégrer la sécurité dans la gestion de projets)
API Security Fundamentals
API Security FundamentalsJosé Haro Peralta Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.
OWASP Top Ten
OWASP Top TenChristian Heinrich This document summarizes the OWASP Top Ten 2013 report, which outlines the top 10 most critical web application security risks. It discusses the methodology used to determine the top risks, comparisons to past versions, and politics around ranking certain vulnerabilities. It also provides context on how and when the OWASP Top Ten list should be cited and explains the risk rating methodology used to evaluate vulnerabilities.
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
SSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd The OWASP Top 10 API security outlines the most common attacks that occur against APIs and provides tips on protecting your API from these threats.
SSRF workshop 
SSRF workshop Ivan Novikov This document discusses server-side request forgery (SSRF) exploitation. It provides examples of how SSRF can be used to access internal networks and bypass authentication by forging requests from the vulnerable server. Specific cases described include exploiting OAuth token hijacking, memcached exploitation using protocol smuggling, and exploiting vulnerabilities in libraries like TCPDF, LWP, and Postgres that enable SSRF. The document encourages finding creative ways to leverage SSRF and related vulnerabilities like open redirects, XML external entities, and SQL injection to compromise hosts and internal services.
Pentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix This document provides an outline for a presentation on pentesting web applications with Burp Suite. It discusses using Burp Suite to scope a target, map content through spidering and directory bruteforcing, replace automated scanning with manual fuzzing using attack paylists, and test authentication through bruteforcing logins. Specific techniques covered include using the Burp spider, intruder, and engagement tools to discover content and hidden directories, importing wordlists to bruteforce hidden paths, and configuring intruder payloads and grep rules to analyze results from fuzzing and authentication testing.
Broken access controls
Broken access controlsAkansha Kesharwani The document discusses broken access control vulnerabilities. It defines broken access control as when a user is able to perform actions or access content they should not be authorized for. It provides examples of insecure direct object references and missing functional level access controls, which were merged into the broken access control category in OWASP 2017. The document also outlines potential impacts of broken access control and recommendations for remediation such as validating object references and authorization for all referenced objects.
Waf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Secure coding practices
Secure coding practicesScott Hurrey This document provides an overview of secure coding practices for developers. It discusses secure design principles like defense in depth and least privilege. It also covers secure coding practices such as input validation, escaping, and HTML sanitization. The document provides examples of good and bad code related to reflecting user input, access control, and request authenticity. It also defines key security terms and outlines strategies for handling user input and encoding output.
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
OWASP Top 10 2013
OWASP Top 10 2013markstory This document discusses the OWASP Top 10 security risks and provides examples and prevention methods for each. It covers injection flaws, broken authentication, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, CSRF, using vulnerable components, and unvalidated redirects. For each risk, it explains potential impacts, provides code examples to illustrate the issue, and recommends techniques to address the vulnerability like input validation, access control, encryption, and keeping software updated.
Ad
More Related Content
What's hot (20)
OWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru This document provides an overview of the OWASP Top 10 Risk Rating Methodology. It explains how risks are rated based on four factors: threat agent, attack vector, technical impact, and business impact. Each factor is given a rating of 1-3 (easy to difficult) and these ratings are multiplied together to calculate an overall weighted risk rating. An example of how this methodology would be applied to an SQL injection vulnerability is also provided.
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers This document provides an agenda for a presentation on web application pentesting and using Burp Suite. The presentation will include an overview of Burp Suite, how to get started with it, automated and manual testing techniques, and tips for web hacking. It will cover features of Burp like the proxy, spider, scanner, intruder, repeater, sequencer, and extender. The goal is to help attendees learn the foundation of using Burp Suite for web assessments.
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.
Owasp
Owasp penetration Tester The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesXavier Kress Les principales failles de sécurité des applications Web actuelles telles que recensées par l'OWASP. Principes, parades et bonnes pratiques de développement.
Ce document, élaboré dans le cadre d'une présentation faite au CNAM, traite de l’importance de la sécurité applicative (les applications Web sont devenues omniprésentes, objectifs et conséquences d’une attaque, les hackers et les kits d’attaque, l'OWASP et les kits de défense), des principales failles de sécurité applicatives (principe et exemples de fonctionnement, objectifs / conséquences, parades) et des bonnes pratiques permettant de sécuriser un parc applicatif (sensibiliser les développeurs, effectuer des tests d’intrusion et de la revue de code, intégrer la sécurité dans la gestion de projets)
API Security Fundamentals
API Security FundamentalsJosé Haro Peralta Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.
OWASP Top Ten
OWASP Top TenChristian Heinrich This document summarizes the OWASP Top Ten 2013 report, which outlines the top 10 most critical web application security risks. It discusses the methodology used to determine the top risks, comparisons to past versions, and politics around ranking certain vulnerabilities. It also provides context on how and when the OWASP Top Ten list should be cited and explains the risk rating methodology used to evaluate vulnerabilities.
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
SSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd The OWASP Top 10 API security outlines the most common attacks that occur against APIs and provides tips on protecting your API from these threats.
SSRF workshop
SSRF workshop Ivan Novikov This document discusses server-side request forgery (SSRF) exploitation. It provides examples of how SSRF can be used to access internal networks and bypass authentication by forging requests from the vulnerable server. Specific cases described include exploiting OAuth token hijacking, memcached exploitation using protocol smuggling, and exploiting vulnerabilities in libraries like TCPDF, LWP, and Postgres that enable SSRF. The document encourages finding creative ways to leverage SSRF and related vulnerabilities like open redirects, XML external entities, and SQL injection to compromise hosts and internal services.
Pentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix This document provides an outline for a presentation on pentesting web applications with Burp Suite. It discusses using Burp Suite to scope a target, map content through spidering and directory bruteforcing, replace automated scanning with manual fuzzing using attack paylists, and test authentication through bruteforcing logins. Specific techniques covered include using the Burp spider, intruder, and engagement tools to discover content and hidden directories, importing wordlists to bruteforce hidden paths, and configuring intruder payloads and grep rules to analyze results from fuzzing and authentication testing.
Broken access controls
Broken access controlsAkansha Kesharwani The document discusses broken access control vulnerabilities. It defines broken access control as when a user is able to perform actions or access content they should not be authorized for. It provides examples of insecure direct object references and missing functional level access controls, which were merged into the broken access control category in OWASP 2017. The document also outlines potential impacts of broken access control and recommendations for remediation such as validating object references and authorization for all referenced objects.
Waf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Secure coding practices
Secure coding practicesScott Hurrey This document provides an overview of secure coding practices for developers. It discusses secure design principles like defense in depth and least privilege. It also covers secure coding practices such as input validation, escaping, and HTML sanitization. The document provides examples of good and bad code related to reflecting user input, access control, and request authenticity. It also defines key security terms and outlines strategies for handling user input and encoding output.
Viewers also liked (12)
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
OWASP Top 10 2013
OWASP Top 10 2013markstory This document discusses the OWASP Top 10 security risks and provides examples and prevention methods for each. It covers injection flaws, broken authentication, XSS, insecure direct object references, security misconfiguration, sensitive data exposure, missing access control, CSRF, using vulnerable components, and unvalidated redirects. For each risk, it explains potential impacts, provides code examples to illustrate the issue, and recommends techniques to address the vulnerability like input validation, access control, encryption, and keeping software updated.
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare Talk by Simon Bennetts
Mozilla Security Team, OWASP ZAP Project Lead
At Tabara de Testare Cluj Napoca, Romania
Sensitive Data Exposure
Sensitive Data Exposureabodiford This document discusses the importance of protecting sensitive data and minimizing exposure. It defines sensitive data as information that must be safeguarded from unauthorized access, such as passwords, addresses, social security numbers, and credit card information. The document outlines laws and regulations that govern sensitive data protection and explains how data is often exposed through security flaws, intrusions, phishing, or social engineering. It recommends encrypting sensitive data, restricting access to authorized individuals only, and learning from past security incidents to strengthen protections.
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20Tabăra de Testare Talk by Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Team
@ Tabara de Testare Cluj Napoca, Romania
OWASP top 10-2013
OWASP top 10-2013tmd800 The document summarizes the OWASP Top 10 risks for 2013 and provides details on each risk. It introduces the new title for the risks as the "Top 10 Most Critical Web Application Security Risks" and notes they are now based on a risk rating methodology. Injection, XSS, and broken authentication remain the top risks. The document provides examples and recommendations for avoiding each risk.
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto This document summarizes an presentation about SQL injection vulnerabilities in PHP frameworks that use the active record pattern. It discusses what active record is, how SQL injection can still occur even with input validation, and recommends following best practices like parameterized queries and implementing defense in depth to help prevent SQL injection attacks. Case studies show how SQL injection vulnerabilities were found in specific frameworks even when developers thought secure coding practices were followed.
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategyNarudom Roongsiriwong, CISSP This document discusses adopting a secure software development strategy at Kiatnakin Bank. It recommends starting with a goal like the OWASP Top 10 controls, establishing an application security team, processes like code reviews and testing, baseline frameworks and guidelines, introducing security design concepts, and setting security checkpoints. The presentation emphasizes building knowledge, leading change, and getting management support to successfully adopt secure development practices.
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx This document discusses cross-site scripting (XSS) attacks. It defines XSS as an attack where malicious scripts are injected into otherwise trusted websites. The document outlines three types of XSS attacks and provides examples of real-world XSS worms. It explains how to exploit stored, reflected, and DOM-based XSS vulnerabilities. Finally, it recommends ways to prevent XSS, including input and output filtering, encoding output, and using mitigations like HttpOnly cookies and content security policies.
InsecureDirectObjectReferences
InsecureDirectObjectReferencesmacanazon OWASP Insecure Direct Object References, URL manipulation, path and directory traversal, user input is evil
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
Ad
Similar to A5-Security misconfiguration-OWASP 2013 (20)
Advances inbrowsersecurity
Advances inbrowsersecurityAnil Saldanha Browser security has advanced in recent years. The top browsers - Internet Explorer, Firefox, Safari, Chrome and Opera - all provide security indicators like green bars for extended validation certificates and padlocks. Google Chrome uses a security architecture with separate protection domains for the browser kernel and rendering engine. Private browsing and parental controls allow for more private web use. The W3C Web Security Context specification aims to standardize security context information presented to users across browsers. Users should exercise caution and use security features of their browsers like disabling plugins by default and blocking third-party cookies.
CISSP Week 14
CISSP Week 14jemtallon This document discusses various security issues that can arise in source control systems. It describes buffer overflow attacks, where a program writes data past the end of a memory buffer. It also discusses citizen/casual programmers who may not follow proper security practices. Covert channels that can transfer data in violation of security policies are described. The document outlines controls and best practices around these issues like parameter checking, memory protection, and auditing and logging.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how different types of attacks could be detected, such as SQL injection, cross-site scripting, and session hijacking. It recommends a three-tiered approach to IDS that involves logging all activity, detailed logging of detected attacks, and flagging possible intrusions for manual review.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how common vulnerabilities like SQL injection, XSS, and session hijacking could be detected. It recommends a tiered approach to IDS with different levels of logging, alerting, and blocking of suspicious traffic.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how different types of attacks could be detected, such as SQL injection, cross-site scripting, and session hijacking. It recommends a three-tiered approach to IDS that involves logging all activity, detailed logging of detected attacks, and flagging possible intrusions for manual review.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks. A positive security model uses whitelists to allow only known good traffic while a negative model uses blacklists to detect malicious patterns. The document then examines how different types of attacks from the OWASP Top 10 could be detected, such as XSS, SQL injection, and session hijacking. It advocates a three-tiered approach to security monitoring with different levels of logging and alerting.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how common vulnerabilities like SQL injection, XSS, and session hijacking could be detected. It recommends a tiered approach to IDS with different levels of logging, alerting, and blocking of suspicious traffic.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how common vulnerabilities like SQL injection, XSS, and session hijacking could be detected. It recommends a tiered approach to IDS with different levels of logging and alerting to balance security and manageability.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how different types of attacks could be detected, such as SQL injection, cross-site scripting, and session hijacking. It recommends a three-tiered approach to IDS that involves logging all activity, detailed logging of detected attacks, and flagging possible intrusions for manual review.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how common vulnerabilities like SQL injection, XSS, and session hijacking could be detected. It recommends a tiered approach to IDS with different levels of logging, alerting, and blocking of suspicious traffic.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks. A positive security model uses whitelists to allow only known good traffic, but this has limitations for complex data types. A negative security model uses blacklists of known attack patterns, but cannot detect all unknown attacks. The document advocates a tiered approach to IDS that involves logging all activity, providing detailed logs of detected attacks, and generating high-priority alerts for possible intrusions.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how different types of attacks could be detected, such as SQL injection, cross-site scripting, and session hijacking. It recommends a three-tiered approach to IDS that involves logging all activity, detailed logging of detected attacks, and flagging possible intrusions for manual review.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how common vulnerabilities like SQL injection, XSS, and session hijacking could be detected. It recommends a tiered approach to IDS with different levels of logging, alerting, and blocking of suspicious traffic.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks. A positive security model uses whitelists to allow only known good traffic while a negative model uses blacklists to detect malicious patterns. The document then examines how different types of attacks from the OWASP Top 10 could be detected, such as XSS, SQL injection, and session hijacking. It advocates a three-tiered approach to security monitoring with different levels of logging and alerting.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how different types of attacks could be detected, such as SQL injection, cross-site scripting, and session hijacking. It recommends a three-tiered approach to IDS that involves logging all activity, detailed logging of detected attacks, and flagging possible intrusions for manual review.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks. A positive security model uses whitelists to allow only known good traffic while a negative model uses blacklists to detect malicious patterns. The document then examines how different types of attacks from the OWASP Top 10 could be detected, such as cross-site scripting, SQL injection, and session hijacking. It recommends a three-tiered approach to security monitoring that involves logging all activity, detailed logs of attacks, and alerts of possible intrusions.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks. A positive security model uses whitelists to allow only known good traffic, but this has limitations for complex data types. A negative security model uses blacklists of known attack patterns, but cannot detect all unknown attacks. The document advocates a tiered approach to security logging and monitoring with increasing levels of detail and prioritization of alerts.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how common vulnerabilities like SQL injection, XSS, and session hijacking could be detected. It recommends a tiered approach to IDS with different levels of logging and alerting to balance security and manageability.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks. A positive security model uses whitelists to allow only known good traffic while a negative model uses blacklists to detect malicious patterns. The document then examines how different types of attacks from the OWASP Top 10 could be detected, such as cross-site scripting, SQL injection, and session hijacking. It recommends a three-tiered approach to security monitoring that involves logging all activity, detailed logs of attacks, and alerts of potential intrusions.
API Upload Test
API Upload Testdecatv This document discusses using intrusion detection systems (IDS) to monitor web applications for security threats. It explains that IDS can be used to detect both known and unknown attacks by logging all activity and applying both whitelist and blacklist rules. The document also provides examples of how different types of attacks could be detected, such as SQL injection, cross-site scripting, and session hijacking. It recommends a three-tiered approach to IDS that involves logging all activity, detailed logging of detected attacks, and flagging possible intrusions for manual review.
Ad
More from Sorina Chirilă (9)
Electronic commerce and Data Warehouses
Electronic commerce and Data WarehousesSorina Chirilă O prezentare despre Electronic Commerce (Comerțul Electronic) în contextul Data Warehouses (Depozite de Date).
Object-Oriented Analysis And Design With Applications Grady Booch
Object-Oriented Analysis And Design With Applications Grady BoochSorina Chirilă Object-Oriented Analysis And Design With Applications Grady Booch - A presentation with different illustrations from the book.
Introducing CHAOS - A graphic guide
Introducing CHAOS - A graphic guideSorina Chirilă If a butterfly flaps its wings in Brazil, does it cause a tornado in Texas?
Chaos theory attempts to answer such baffling questions. The discovery of randomness in apparently predictable physical systems has evolved into a science that declares the universe to be far more unpredictable then we have ever imagined.
Introducing Chaos explains how chaos makes its presence felt in events from the fluctuation of animal populations to the ups and downs of the stock market. It examines the roots of chaos in modern maths and physics, and explores the relationship between chaos and complexity, the unifying theory which suggests that all complex systems evolve from a few simple rules.
This is an accessible introduction to an astonishing and controversial theory.
SNAS - CGS - MobilPRO2016
SNAS - CGS - MobilPRO2016Sorina Chirilă O prezentare pregătită pentru concursul MobilPRO 2016, secţiunea Internet of Things.
http://mobilpro.lse.org.ro/
THE ZEN OF PYTHON
THE ZEN OF PYTHONSorina Chirilă A presentation about good and bad ideas in coding, with examples regarding The Zen of Python.
www.bitopedia.wordpress.com
Scan
ScanSorina Chirilă Info-sport - primul numar al revistei de sport a liceului(Martie, 2006), unde am colaborat cu drag.
Nikto
NiktoSorina Chirilă This document provides an overview of several security tools including Nikto, Burp Suite, Wikto, Nmap, Metasploit, Nessus, OpenVAS, and how some of them relate to and integrate with Nikto. It describes Nikto as a web server scanner that checks for vulnerabilities. It then briefly introduces each of the other tools, their purpose, and in some cases how they can work with Nikto, such as Nikto being able to use Nmap scan results or output results to Metasploit's database.
Nikto
NiktoSorina Chirilă Nikto is a free and open source web server scanner used to identify vulnerabilities and help secure servers. It tests servers for over 6,500 dangerous files and scripts, outdated versions of software, and misconfigurations. Nikto scans target servers and outputs results that can help identify security problems. It has advantages like being fast, versatile, and open source, while its only disadvantage is needing to run via the command line.
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă RIPS is a PHP static source code analyzer based on PIXY that detects vulnerabilities like SQL injection and cross-site scripting. It works by splitting code into tokens and tracing whether user-supplied data reaches sensitive sinks like vulnerable functions. RIPS has a simple web interface and detects vulnerabilities through case studies by preparing a local web site and running analysis. Future work includes improving support for object-oriented code and dynamic runtime analysis.
Recently uploaded (20)
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...Celine George Most business transactions use the currencies of several countries for financial operations. For global transactions, multi-currency management is essential for enabling international trade.
Social Problem-Unemployment .pptx notes for Physiotherapy Students
Social Problem-Unemployment .pptx notes for Physiotherapy StudentsDrNidhiAgarwal Unemployment is a major social problem, by which not only rural population have suffered but also urban population are suffered while they are literate having good qualification.The evil consequences like poverty, frustration, revolution
result in crimes and social disorganization. Therefore, it is
necessary that all efforts be made to have maximum.
employment facilities. The Government of India has already
announced that the question of payment of unemployment
allowance cannot be considered in India
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYDR.PRISCILLA MARY J NATIONAL HEALTH PROGRAMMEE
Biophysics Chapter 3 Methods of Studying Macromolecules.pdf
Biophysics Chapter 3 Methods of Studying Macromolecules.pdfPKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan. This chapter provides an in-depth overview of the viscosity of macromolecules, an essential concept in biophysics and medical sciences, especially in understanding fluid behavior like blood flow in the human body.
Key concepts covered include:
✅ Definition and Types of Viscosity: Dynamic vs. Kinematic viscosity, cohesion, and adhesion.
⚙️ Methods of Measuring Viscosity:
Rotary Viscometer
Vibrational Viscometer
Falling Object Method
Capillary Viscometer
🌡️ Factors Affecting Viscosity: Temperature, composition, flow rate.
🩺 Clinical Relevance: Impact of blood viscosity in cardiovascular health.
🌊 Fluid Dynamics: Laminar vs. turbulent flow, Reynolds number.
🔬 Extension Techniques:
Chromatography (adsorption, partition, TLC, etc.)
Electrophoresis (protein/DNA separation)
Sedimentation and Centrifugation methods.
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...
World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...larencebapu132 This is short and accurate description of World war-1 (1914-18)
It can give you the perfect factual conceptual clarity on the great war
Regards Simanchala Sarab
Student of BABed(ITEP, Secondary stage)in History at Guru Nanak Dev University Amritsar Punjab 🙏🙏
Geography Sem II Unit 1C Correlation of Geography with other school subjects
Geography Sem II Unit 1C Correlation of Geography with other school subjectsProfDrShaikhImran The correlation of school subjects refers to the interconnectedness and mutual reinforcement between different academic disciplines. This concept highlights how knowledge and skills in one subject can support, enhance, or overlap with learning in another. Recognizing these correlations helps in creating a more holistic and meaningful educational experience.
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdfSandeep Swamy Exploring Substances:
Acidic, Basic, and
Neutral
Welcome to the fascinating world of acids and bases! Join siblings Ashwin and
Keerthi as they explore the colorful world of substances at their school's
National Science Day fair. Their adventure begins with a mysterious white paper
that reveals hidden messages when sprayed with a special liquid.
In this presentation, we'll discover how different substances can be classified as
acidic, basic, or neutral. We'll explore natural indicators like litmus, red rose
extract, and turmeric that help us identify these substances through color
changes. We'll also learn about neutralization reactions and their applications in
our daily lives.
by sandeep swamy
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxArshad Shaikh Education is one thing no one can take away from you.”
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDM Mia eStudios As of Mid to April Ending, I am building a new Reiki-Yoga Series. No worries, they are free workshops. So far, I have 3 presentations so its a gradual process. If interested visit: https://www.slideshare.net/YogaPrincess
https://ldmchapels.weebly.com
Blessings and Happy Spring. We are hitting Mid Season.
apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfIshika Ghosh Title: A Quick and Illustrated Guide to APA Style Referencing (7th Edition)
This visual and beginner-friendly guide simplifies the APA referencing style (7th edition) for academic writing. Designed especially for commerce students and research beginners, it includes:
✅ Real examples from original research papers
✅ Color-coded diagrams for clarity
✅ Key rules for in-text citation and reference list formatting
✅ Free citation tools like Mendeley & Zotero explained
Whether you're writing a college assignment, dissertation, or academic article, this guide will help you cite your sources correctly, confidently, and consistent.
Created by: Prof. Ishika Ghosh,
Faculty.
📩 For queries or feedback: [email protected]
Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...
Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...Library Association of Ireland
To study the nervous system of insect.pptx
To study the nervous system of insect.pptxArshad Shaikh The *nervous system of insects* is a complex network of nerve cells (neurons) and supporting cells that process and transmit information. Here's an overview:
Structure
1. *Brain*: The insect brain is a complex structure that processes sensory information, controls behavior, and integrates information.
2. *Ventral nerve cord*: A chain of ganglia (nerve clusters) that runs along the insect's body, controlling movement and sensory processing.
3. *Peripheral nervous system*: Nerves that connect the central nervous system to sensory organs and muscles.
Functions
1. *Sensory processing*: Insects can detect and respond to various stimuli, such as light, sound, touch, taste, and smell.
2. *Motor control*: The nervous system controls movement, including walking, flying, and feeding.
3. *Behavioral responThe *nervous system of insects* is a complex network of nerve cells (neurons) and supporting cells that process and transmit information. Here's an overview:
Structure
1. *Brain*: The insect brain is a complex structure that processes sensory information, controls behavior, and integrates information.
2. *Ventral nerve cord*: A chain of ganglia (nerve clusters) that runs along the insect's body, controlling movement and sensory processing.
3. *Peripheral nervous system*: Nerves that connect the central nervous system to sensory organs and muscles.
Functions
1. *Sensory processing*: Insects can detect and respond to various stimuli, such as light, sound, touch, taste, and smell.
2. *Motor control*: The nervous system controls movement, including walking, flying, and feeding.
3. *Behavioral responses*: Insects can exhibit complex behaviors, such as mating, foraging, and social interactions.
Characteristics
1. *Decentralized*: Insect nervous systems have some autonomy in different body parts.
2. *Specialized*: Different parts of the nervous system are specialized for specific functions.
3. *Efficient*: Insect nervous systems are highly efficient, allowing for rapid processing and response to stimuli.
The insect nervous system is a remarkable example of evolutionary adaptation, enabling insects to thrive in diverse environments.
The insect nervous system is a remarkable example of evolutionary adaptation, enabling insects to thrive
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Library Association of Ireland
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Library Association of Ireland
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfArab Academy for Science, Technology and Maritime Transport This version of the lectures is provided free of charge to graduate students studying the Operations Management course at the MBA level.
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...
How to track Cost and Revenue using Analytic Accounts in odoo Accounting, App...Celine George Analytic accounts are used to track and manage financial transactions related to specific projects, departments, or business units. They provide detailed insights into costs and revenues at a granular level, independent of the main accounting system. This helps to better understand profitability, performance, and resource allocation, making it easier to make informed financial decisions and strategic planning.
Biophysics Chapter 3 Methods of Studying Macromolecules.pdf
Biophysics Chapter 3 Methods of Studying Macromolecules.pdfPKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan.
Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...
Michelle Rumley & Mairéad Mooney, Boole Library, University College Cork. Tra...Library Association of Ireland
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...
Niamh Lucey, Mary Dunne. Health Sciences Libraries Group (LAI). Lighting the ...Library Association of Ireland
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Library Association of Ireland
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfArab Academy for Science, Technology and Maritime Transport
A5-Security misconfiguration-OWASP 2013
- 2. About ● “ This happens when the system admins , DBAs and developers leave security holes in the configuration of computer systems. ” A5 http://www.inteco.es htts://www.inteco.es
- 3. Idea(1) Attacker accesses : ● ● ● ● default accounts, unused pages, unpatched flaws, unprotected files and directories. Security misconfiguration can happen at any level on an application stack: ● ● ● ● ● including the platform, web & application server, database, framework, custom code.
- 5. Example ● Get information about server type or current web development language .
- 6. Typical attack approach ● ● Find information related to : OS type and version, libraries, tools, Web server type ,web development language, And then
- 7. How to prevent ? ● ● ● ● ● ● ● ● ● ● Remove/ change default credentials, Keep up to date software, Look for disabling unused components or services, Take in consideration automated scanners(OpenVAS, WATOBO,WebScarab, https://asafaweb. com/), Setup a process for security updates, Use minimal privileges everywhere, Remove all unused pages and user accounts, Create whitelist pages, Update patches(small piece of software used to correct a problem with OS for example), Review configuration default for : frameworks, db, web server ….
- 8. Case studies
- 10. Thank You!