Security Testing 简明教程

Security Misconfiguration

安全性错误配置会在将安全性设置定义、实施并作为默认值维护时发生。良好的安全性需要定义并为应用程序、Web 服务器、数据库服务器和平台部署安全的配置。软件保持最新状态同样重要。

Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date.

security misconfiguration

Example

一些经典的安全性错误配置示例如下 −

Some classic examples of security misconfiguration are as given −

  1. If Directory listing is not disabled on the server and if attacker discovers the same then the attacker can simply list directories to find any file and execute it. It is also possible to get the actual code base which contains all your custom code and then to find a serious flaws in the application.

  2. App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers grab those extra information that the error messages provide which is enough for them to penetrate.

  3. App servers usually come with sample apps that are not well secured. If not removed from production server would result in compromising your server.

Hands ON

Step 1 − 启动 Webgoat,导航到不安全的配置部分,让我们尝试解决该挑战。快照如下所示 −

Step 1 − Launch Webgoat and navigate to insecure configuration section and let us try to solve that challenge. Snapshot of the same is provided below −

security misconfiguration1

Step 2 − 我们尽可能尝试许多选项。我们需要找到配置文件的 URL,并且我们知道开发人员遵循一种配置文件命名约定。可以是下面列出的任何一项。它通常通过蛮力技术完成。

Step 2 − We can try out as many options as we can think of. All we need to find the URL of config file and we know that the developers follow kind of naming convention for config files. It can be anything that is listed below. It is usually done by BRUTE force technique.

  1. web.config

  2. config

  3. appname.config

  4. conf

Step 3 − 在尝试各种选项后,我们发现“ http://localhost:8080/WebGoat/conf ”是成功的。如果尝试成功,则会显示以下页面 −

Step 3 − Upon trying various options, we find that 'http://localhost:8080/WebGoat/conf' is successful. The following page is displayed if the attempt is successful −

security misconfiguration2

Preventive Mechanisms

  1. All environments such Development, QA, and production environments should be configured identically using different passwords used in each environment that cannot be hacked easily.

  2. Ensure that a strong application architecture is being adopted that provides effective, secure separation between components.

  3. It can also minimize the possibility of this attack by running automated scans and doing audits periodically.