SlideShare une entreprise Scribd logo

A5: Security Misconfiguration

Télécharger en tant que PPTX, PDF
T
Tariq Islam

Top 10 2013-A5 Security Misconfiguration by OWASP

Formation
1  sur  26
Application Misconfiguration attacks exploit configuration weaknesses found in web applications. Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. The effects of misconfiguration can be nonthreatening but also can lead service outages, loss of sensitive data, and other serious problems.
 Top 10 2013-A5 Security Misconfiguration by OWASP  Top 10 2010-A6 Security Misconfiguration by OWASP  OWASP defines this risk as being easily exploitable, common in prevalence, easily detectable, with moderate impact.
 Can be severe.  Partial or full data loss.  Data modification.  Compromise of full system.  Expensive recovery.
Default options are always an easy target for hackers. It is very common that users often do not change their default password or do not delete default user ID. Some applications come with default port number as well. Examples: Oracle database default installation includes default user id and password User/schema: scott, password: tiger and default port number 1521.
Revealing too much debugging information is a very common misconfiguration problem. This usually does not result directly to exploitation of a system. Attackers can collect extra information, such as the internal working of an application and version numbers. Attackers can use this excessive debugging information to craft SQL to perform a SQL injection attack. Also, when applications fail to perform an action, they can leak sensitive information.
Role misconfiguration is another leading cause of web application misconfiguration. This causes groups or roles to access settings or records that were not intended for them. There are many reasons for role misconfigurations. Complex business roles and polices can be blamed for role misconfiguration. Example: allowing admin staff to view human resource data.
Human mistakes are frequent and unavoidable and can account for up to 43% of all system failures. Operator error is the main reason for downtime for large websites, such as Google, MSN, and Yahoo. Proper interfaces and good design can drastically reduce operator mistakes. Poorly designed application interfaces and too tight restriction may force user to attempt or bypass security then they need to accomplish a goal.
Security misconfiguration may happen any of the following levels:  Operating system or platform  Web server  Application server  Database server  Framework  Custom code
Often used to save users’ session without the need to maintain a complex database on the server side. In hidden manipulation users do not see or modify the hidden field. Once hacked application acts according to the modified information not according to the real data. Example: Alter product price or SKU numbers.
Based on the manipulation of application parameter exchanged between client and the server. This is a form of web based hacking where certain parameters in the URL or web application page entered by a authorized users that hackers change without users authorization. Hackers take the advantage of hidden or fixed fields and modify parameters by bypassing the security mechanisms. Once hacked web application acts according to the modified information and allows access to the users data. Example: Arbitrarily manipulating user’s selection from a field values, such as; check box or combo box.
Act of manipulating or forging a cookie for the purpose of bypassing security measures or sending false information to a server. Cookies are common elements in web applications and their usage involves saving information for instance; user ID, account numbers, time stamp, passwords, etc. The saved information is stored in the user’s hard drive. Cookies are not cryptographically secure, therefore; a hacker can modify users’ information by modifying the cookie file.
Is a set of techniques allowing attackers to exploit parsing problems in server-side scripts to change the code executed by the server. Primarily used in the execution of operating system commands, allowing complete takeover of the server. Likely targets are server-side includes, parsed scripts, code that appears to take input and turn it into OS commands, and anything that takes parameters and turns them into parsed protocols.
An attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible. Attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. Inadequate enforcement and authorization on all restricted URL,s scripts, or files can be blamed.
Applications contain code left for debugging purposes, and some even contain code left by disgruntled employees. Debug options comprise entry points that allows a hacker access to the application. Backdoors substantially allow visitors to log into applications without using a password and access grants users many other privileges.
Is your software out of date? Any unnecessary features enabled? Are default accounts and associated credentials unchanged? Does error handling reveal stack traces to users? Are the security settings not set to secure values?
 Do not use default credentials.  Avoid default installations.  Maintain consistency of configuration between versions.  Restrict default configuration options.  Avoid default port numbers.  Restrict roles and privileges.  Centralize configuration as much as possible.  Scans and audits.  Strong encryption.
 Design application functionality with security in mind.  Extends development time.  Practice defensive coding.  Review codes to ensure security properties.  Stay up to date with coding standards compliance.  Consistent design and implementation.  Finding security issues/bugs early.
 Attention to detail .  Each component should be checked and verified.  Turn off unsafe features.  Remove default accounts and expire default passwords.  Stress testing.  Penetration testing.  Both automatic and manual testing.
 Keep applications up to date.  Apply vendor patches on time.  Apply critical security and vulnerability regularly.  Educate developers, administrators, and testers.  Participate security training.  Attend security conferences.  Subscribe to vendor’s security alert.
Risk: The prevalence of web application misconfiguration is very high in IT industry. Priority: Safeguarding web application from malicious users and attacks.  Avoid: Security misconfiguration Do’s : Follow IT security best practices, use common sense, have good understanding of application security, practice good designing principles and defensive coding, and as always ensure the proper security configuration of application.
 What are the standard methods or procedures to monitor application security misconfiguration?  How frequently we need to review, audit, and scan security configuration?  Do you like default or custom application installation? Please explain why or why not?
 Whitelegg, D. (2014, June 17). Scan your app to find and fix OWASP Top 10 2013 vulnerabilities. Retrieved September 17, 2014, from http://www.ibm.com/developerworks/library/se-owasp-top10/ index.html  Auger, R. (2010, January 1). Application Misconfiguration. Retrieved September 15, 2014, from http://projects.webappsec.org/w/page/13246914/Application Misconfiguration  Henneberger, D. (2012, January 1). Misconfiguration of Web Applications: A View of Security. Retrieved September 15, 2014, from http://danielhenneberger.com/dist/papers/misconfiguration.pdf  How Misconfiguration Can Leave You Vulnerable to Attackers - Calavista Software. (2014, January 1). Retrieved September 22, 2014, from http://www.calavista.com/misconfiguration-can-leave-vulnerable-attackers/  Pasho, A. (2011, June 22). Is Your Web Site or App Secure? Avoiding Security Misconfiguration. Retrieved September 20, 2014, from http://blog.makingsense.com/2011/06/is-your-web-site-or-app-secure-avoiding- security-misconfiguration/
 Kerner, S. (2014, February 3). App Misconfiguration, Mobile Apps With Poor Encryption Pose Risks, HP. Retrieved September 23, 2014, from http://www.eweek.com/security/app-misconfiguration-mobile-apps-with- poor-encryption-pose-risks-hp.html  Misconfigurations: The Firewall’s Greatest Threat. (2012, December 3). Retrieved September 24, 2014, from http://www.firemon.com/blog/firewall-management/misconfigurations-the-firewalls-greatest-threat  Weldermariam, K. (2014, January 1). Early Detection of Security Misconfiguration Vulnerabilities in Web Applications. Retrieved September 25, 2014, from http://www.academia.edu/2719069/Early_Detection_of_Security_Misconfiguration_Vulnerabilities_in_We b_Applications   Brady, P. (2014, January 1). PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?¶. Retrieved September 25, 2014, from http://phpsecurity.readthedocs.org/en/latest/_articles/PHP-Security-Default-Vulnerabilities-Security- Omissions-And-Framing-Programmers.html
 Statistics reference: http://securityaffairs.co/wordpress/16557/hacking/statistics-on-web-application-vulnerabilities- statistics-2013.html  Reshef, E. (n.d.). Internet Application Security. Retrieved September 29, 2014, from http://www.cgisecurity.com/lib/IAS.pdf  Cookie Poisoning. (n.d.). Retrieved October 1, 2014, from http://security.radware.com/knowledge-center/ DDoSPedia/cookie-poisoning/  Behringer, M. (n.d.). Understanding Operational Security. Retrieved September 24, 2014, from http://www.cisco.com/web/about/security/intelligence/opsecurity.html  Cookie Poisoning | Hacker4Lease. (2012, January 1). Retrieved October 1, 2014, from http://www.hacker4lease.com/attack-methods/cookie-poisoning/  Top 10 2013-A5-Security Misconfiguration. (2013, June 23). Retrieved September 14, 2014, from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration  Cover photo: Tariqul Islam

Recommandé

Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 

Recommandé

Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 Sorina Chirilă
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 

Contenu connexe

Tendances

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
 

Tendances (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Security testing
Security testingSecurity testing
Security testing
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Security testing
Security testingSecurity testing
Security testing
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Burp suite
Burp suiteBurp suite
Burp suite
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 

En vedette

Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
OWASP Top 10 2013
OWASP Top 10 2013OWASP Top 10 2013
OWASP Top 10 2013markstory
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 

En vedette (12)

Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
OWASP Top 10 2013
OWASP Top 10 2013OWASP Top 10 2013
OWASP Top 10 2013
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposure
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 

Similaire à A5: Security Misconfiguration

Security Misconfiguration.pptx
Security Misconfiguration.pptxSecurity Misconfiguration.pptx
Security Misconfiguration.pptxKalyani Raut
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalUnisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalKoko Fontana
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxvrickens
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 
The Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxThe Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxQACraft
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdfHOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdfasiyahanif9977
 

Similaire à A5: Security Misconfiguration (20)

Security Misconfiguration.pptx
Security Misconfiguration.pptxSecurity Misconfiguration.pptx
Security Misconfiguration.pptx
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalUnisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_final
 
C01461422
C01461422C01461422
C01461422
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docx
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Database security
Database securityDatabase security
Database security
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
The Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docxThe Importance of Security Testing in Web Applications.docx
The Importance of Security Testing in Web Applications.docx
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdfHOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
HOW TO SECURE WEB AND APP DEVELOPMENT USER DATA SECURITY.pdf
 

Dernier

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 

Dernier (20)

Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 

A5: Security Misconfiguration

  • 1.
  • 2. Application Misconfiguration attacks exploit configuration weaknesses found in web applications. Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. The effects of misconfiguration can be nonthreatening but also can lead service outages, loss of sensitive data, and other serious problems.
  • 3.  Top 10 2013-A5 Security Misconfiguration by OWASP  Top 10 2010-A6 Security Misconfiguration by OWASP  OWASP defines this risk as being easily exploitable, common in prevalence, easily detectable, with moderate impact.
  • 4.  Can be severe.  Partial or full data loss.  Data modification.  Compromise of full system.  Expensive recovery.
  • 5.
  • 6. Default options are always an easy target for hackers. It is very common that users often do not change their default password or do not delete default user ID. Some applications come with default port number as well. Examples: Oracle database default installation includes default user id and password User/schema: scott, password: tiger and default port number 1521.
  • 7. Revealing too much debugging information is a very common misconfiguration problem. This usually does not result directly to exploitation of a system. Attackers can collect extra information, such as the internal working of an application and version numbers. Attackers can use this excessive debugging information to craft SQL to perform a SQL injection attack. Also, when applications fail to perform an action, they can leak sensitive information.
  • 8. Role misconfiguration is another leading cause of web application misconfiguration. This causes groups or roles to access settings or records that were not intended for them. There are many reasons for role misconfigurations. Complex business roles and polices can be blamed for role misconfiguration. Example: allowing admin staff to view human resource data.
  • 9. Human mistakes are frequent and unavoidable and can account for up to 43% of all system failures. Operator error is the main reason for downtime for large websites, such as Google, MSN, and Yahoo. Proper interfaces and good design can drastically reduce operator mistakes. Poorly designed application interfaces and too tight restriction may force user to attempt or bypass security then they need to accomplish a goal.
  • 10. Security misconfiguration may happen any of the following levels:  Operating system or platform  Web server  Application server  Database server  Framework  Custom code
  • 11. Often used to save users’ session without the need to maintain a complex database on the server side. In hidden manipulation users do not see or modify the hidden field. Once hacked application acts according to the modified information not according to the real data. Example: Alter product price or SKU numbers.
  • 12. Based on the manipulation of application parameter exchanged between client and the server. This is a form of web based hacking where certain parameters in the URL or web application page entered by a authorized users that hackers change without users authorization. Hackers take the advantage of hidden or fixed fields and modify parameters by bypassing the security mechanisms. Once hacked web application acts according to the modified information and allows access to the users data. Example: Arbitrarily manipulating user’s selection from a field values, such as; check box or combo box.
  • 13. Act of manipulating or forging a cookie for the purpose of bypassing security measures or sending false information to a server. Cookies are common elements in web applications and their usage involves saving information for instance; user ID, account numbers, time stamp, passwords, etc. The saved information is stored in the user’s hard drive. Cookies are not cryptographically secure, therefore; a hacker can modify users’ information by modifying the cookie file.
  • 14. Is a set of techniques allowing attackers to exploit parsing problems in server-side scripts to change the code executed by the server. Primarily used in the execution of operating system commands, allowing complete takeover of the server. Likely targets are server-side includes, parsed scripts, code that appears to take input and turn it into OS commands, and anything that takes parameters and turns them into parsed protocols.
  • 15. An attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible. Attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. Inadequate enforcement and authorization on all restricted URL,s scripts, or files can be blamed.
  • 16. Applications contain code left for debugging purposes, and some even contain code left by disgruntled employees. Debug options comprise entry points that allows a hacker access to the application. Backdoors substantially allow visitors to log into applications without using a password and access grants users many other privileges.
  • 17. Is your software out of date? Any unnecessary features enabled? Are default accounts and associated credentials unchanged? Does error handling reveal stack traces to users? Are the security settings not set to secure values?
  • 18.  Do not use default credentials.  Avoid default installations.  Maintain consistency of configuration between versions.  Restrict default configuration options.  Avoid default port numbers.  Restrict roles and privileges.  Centralize configuration as much as possible.  Scans and audits.  Strong encryption.
  • 19.  Design application functionality with security in mind.  Extends development time.  Practice defensive coding.  Review codes to ensure security properties.  Stay up to date with coding standards compliance.  Consistent design and implementation.  Finding security issues/bugs early.
  • 20.  Attention to detail .  Each component should be checked and verified.  Turn off unsafe features.  Remove default accounts and expire default passwords.  Stress testing.  Penetration testing.  Both automatic and manual testing.
  • 21.  Keep applications up to date.  Apply vendor patches on time.  Apply critical security and vulnerability regularly.  Educate developers, administrators, and testers.  Participate security training.  Attend security conferences.  Subscribe to vendor’s security alert.
  • 22. Risk: The prevalence of web application misconfiguration is very high in IT industry. Priority: Safeguarding web application from malicious users and attacks.  Avoid: Security misconfiguration Do’s : Follow IT security best practices, use common sense, have good understanding of application security, practice good designing principles and defensive coding, and as always ensure the proper security configuration of application.
  • 23.  What are the standard methods or procedures to monitor application security misconfiguration?  How frequently we need to review, audit, and scan security configuration?  Do you like default or custom application installation? Please explain why or why not?
  • 24.  Whitelegg, D. (2014, June 17). Scan your app to find and fix OWASP Top 10 2013 vulnerabilities. Retrieved September 17, 2014, from http://www.ibm.com/developerworks/library/se-owasp-top10/ index.html  Auger, R. (2010, January 1). Application Misconfiguration. Retrieved September 15, 2014, from http://projects.webappsec.org/w/page/13246914/Application Misconfiguration  Henneberger, D. (2012, January 1). Misconfiguration of Web Applications: A View of Security. Retrieved September 15, 2014, from http://danielhenneberger.com/dist/papers/misconfiguration.pdf  How Misconfiguration Can Leave You Vulnerable to Attackers - Calavista Software. (2014, January 1). Retrieved September 22, 2014, from http://www.calavista.com/misconfiguration-can-leave-vulnerable-attackers/  Pasho, A. (2011, June 22). Is Your Web Site or App Secure? Avoiding Security Misconfiguration. Retrieved September 20, 2014, from http://blog.makingsense.com/2011/06/is-your-web-site-or-app-secure-avoiding- security-misconfiguration/
  • 25.  Kerner, S. (2014, February 3). App Misconfiguration, Mobile Apps With Poor Encryption Pose Risks, HP. Retrieved September 23, 2014, from http://www.eweek.com/security/app-misconfiguration-mobile-apps-with- poor-encryption-pose-risks-hp.html  Misconfigurations: The Firewall’s Greatest Threat. (2012, December 3). Retrieved September 24, 2014, from http://www.firemon.com/blog/firewall-management/misconfigurations-the-firewalls-greatest-threat  Weldermariam, K. (2014, January 1). Early Detection of Security Misconfiguration Vulnerabilities in Web Applications. Retrieved September 25, 2014, from http://www.academia.edu/2719069/Early_Detection_of_Security_Misconfiguration_Vulnerabilities_in_We b_Applications   Brady, P. (2014, January 1). PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?¶. Retrieved September 25, 2014, from http://phpsecurity.readthedocs.org/en/latest/_articles/PHP-Security-Default-Vulnerabilities-Security- Omissions-And-Framing-Programmers.html
  • 26.  Statistics reference: http://securityaffairs.co/wordpress/16557/hacking/statistics-on-web-application-vulnerabilities- statistics-2013.html  Reshef, E. (n.d.). Internet Application Security. Retrieved September 29, 2014, from http://www.cgisecurity.com/lib/IAS.pdf  Cookie Poisoning. (n.d.). Retrieved October 1, 2014, from http://security.radware.com/knowledge-center/ DDoSPedia/cookie-poisoning/  Behringer, M. (n.d.). Understanding Operational Security. Retrieved September 24, 2014, from http://www.cisco.com/web/about/security/intelligence/opsecurity.html  Cookie Poisoning | Hacker4Lease. (2012, January 1). Retrieved October 1, 2014, from http://www.hacker4lease.com/attack-methods/cookie-poisoning/  Top 10 2013-A5-Security Misconfiguration. (2013, June 23). Retrieved September 14, 2014, from https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration  Cover photo: Tariqul Islam