The document discusses security misconfiguration as the sixth most dangerous web application vulnerability according to the OWASP Top 10. It defines security misconfiguration as improper configuration settings that can enable attacks. The document outlines how attackers exploit default passwords and privileges, and provides examples of misconfigured systems. It recommends ways to prevent misconfiguration like changing defaults, deleting unnecessary accounts, and keeping systems updated. The document demonstrates how to detect hidden URLs and directory listings using Burp Suite and concludes that misconfiguration poses a high risk if not properly safeguarded against.

1. Security
Misconfiguration
By Megha Sahu

2. About me
• Chapter Lead at Null Bhopal.
• Pursuing BE in 4th year from UIT-RGPV.
• Cyber Security Enthusiast.
• Current Studying Machine Leaning.
• Twitter handle @meghasahu24
• Null profile megha-sahu

3. Overview
1. What is OWASP Top 10
2. List of OWASP top 10[2017]
3. Introduction to Security Misconfiguration
4. Typical Attack approach
5. How we protect our selves?
6. Demo
1. Hidden URL
2. Directory Listing
7. Conclusion

4. What is OWASP top 10
• OWASP stand for Open Web Application Security Project.
• OWASP Top 10 is a powerful awareness document for web application security.
• The materials they offer include documentation, tools, videos, and forums are
freely available and easily accessible on their website.
• It is a regularly-updated report outlining security concerns for web application
security, focusing on the 10 most critical risks.

5. .
• A1:-Injection
• A2:-Broken Authentication
• A3:-Sensitive Data Exposure
• A4:-XML External Entities (XXE)
• A5:-Broken Access Control
• A6:-Security Misconfiguration
• A7:-Cross-Site Scripting (XSS)
• A8:-Insecure Deserialization
• A9:-Using Components with Known Vulnerabilities
• A10:-Insufficient Logging & Monitoring

6. Introduction to Security Misconfiguration
• Misconfiguration is define as configuration mistakes that results in unintended
application behavior that includes misuse of default passwords, privileges, and
excessive debugging information disclosure.
• This happens when the system administrators, DBAs or developers leave security
holes in the configuration.
• Good security required proper configuration of systems.

7. .
Security misconfiguration can happen at any level of an application stack, including:
• The Platform
• Web Server
• Application Server
• Framework
• Custom Code
Developers and system administrators need to work together to ensure that the entire stack
is configured properly.

8. Typical attack approach
• Find information related to :
 OS type and version
Libraries
Tools
Web server type
web development language
And then

9. • When you install an OS or server tool ,it has a default root account with a default
password.
• Examples:
Windows - "Administrator“ & "Administrator“
SQL Server - “ sa “ & no password
Oracle "MASTER“ & "PASSWORD“
Apache "root“ & “ change this“
Make sure you change these passwords! Completely delete the accounts when
possible

10. How we protect our selves?
Do not use default credentials.
Delete unused pages and user accounts.
Restrict roles and privileges.
Stay up-to date on patches.
Turn off unused services.
Scans and audits(a popular open source tool for Linux is Security Onion)
Restrict default configuration options.
Strong encryption.
Consider internal attackers as well as external.
Disable directory listings.

12. Burp Suite

13. Example 1:
• AIM : To find the hidden URL in the Web Application
• Requirement:
oVirtual Machine
• OWASP broken web application
• OWASP web testing environment
oBurp suite community Addition
oFoxy proxy standard Add-on

14. Example 2 :
• AIM : To find the Directory listing in the Web Application
• Requirement:
oVirtual Machine
• OWASP broken web application
• OWASP web testing environment
oBurp suite community Addition
oFoxy proxy standard Add-on

15. Conclusion
• Security misconfiguration or poorly configured security controls, could allow
malicious users to change your website, obtain unauthorized access, compromise
files, or perform other unintended actions.
• Risk: The prevalence of web application misconfiguration is very high in IT
industry.
• Priority: Safeguarding web application from malicious users and attacks.

16. References
• https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Pro
ject
• https://support.portswigger.net/customer/portal/articles/1965728-using-
burp-to-test-for-security-misconfiguration-issues
• https://www.youtube.com/watch?v=vheGnopQm6s&t=514s
• https://www.cloudflare.com/learning/security/threats/owasp-top-10/
• https://resources.infosecinstitute.com/2017-owasp-a6-update-security-
misconfiguration/#gref
• https://bounty.github.com/classifications/security-misconfiguration.html
• https://www.youtube.com/watch?v=ouuXu9_UM0w