Security misconfiguration
-
Upload
jiri-danihelka -
Category
Software
-
view
15 -
download
0
Transcript of Security misconfiguration
![Page 1: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/1.jpg)
Security MisconfigurationSecure ASP.NET Configuration, Password Management
Jiří Danihelka
![Page 2: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/2.jpg)
Secure ASP.NET Configuration
![Page 3: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/3.jpg)
3
OWASP Top 10 Security Risks for ASP.NET
10 most common security threats how to avoid them when creating websites how to perform hacking / penetration testing
![Page 4: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/4.jpg)
4
Security Misconfiguration
Recommendations: This topic is very broad and it
is hard to give a general recommendation.
Check your website configuration carefully. Pay attention to settings related to security (e.g. session timeout).
Change default passwords Do not store production
credentials in the repository Use different credentials in
Dev and Live environments
![Page 5: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/5.jpg)
5
Clickjacking
Attack description:- transparent iFrame that is controlled by user interaction- the use can unintentionally make requests he did not want to
![Page 6: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/6.jpg)
6
Custom Errors
Recommendations: Use custom error pages RemoteOnly setting disables
custom errors on localhost
![Page 7: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/7.jpg)
7
Information disclosure
Recommendations:<!-- enableVersionHeader - Remove the ASP.NET version number from the response headers. Added security through obscurity. --><httpRuntime targetFramework="4.5" enableVersionHeader="false" />
<httpProtocol> <customHeaders> <!-- X-Powered-By - Remove the HTTP header for added security and a slight performance increase. --> <clear /> </customHeaders></httpProtocol>
![Page 8: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/8.jpg)
8
Leaving Tracing & Debuging Enabled
The trace feature of ASP.NET is one of the most useful tools that you can use to ensure application security by debugging and profiling your Web-based applications.
Unfortunately, it is also one of the most useful tools that a hacker can use to attack your Web-based applications if it is left enabled in a production environment.
![Page 9: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/9.jpg)
9
Maximum URL Request Length
Recommendations:<!-- maxRequestLength="4096" - The maximum length of the url request in kilobytes. --><httpRuntime maxRequestLength="4096"/>
![Page 10: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/10.jpg)
Password Management
![Page 11: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/11.jpg)
How to properly store production passwords?
![Page 12: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/12.jpg)
12
Store passwords in code repository? Definitely no!
Not all developers shouldhave access to productionpasswords
Problems with open-source projects
High risk of password leaking (e.g. during a code audit)
![Page 13: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/13.jpg)
13
Store passwords in emails? No
Many emails Hard to update passwords Who has the password? Hard to restrict spreading
![Page 14: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/14.jpg)
14
Store passwords in Confluence? No
Confluence is for documentation
Documentation is sharedwith other parties thatshould not have accessto passwords
Does not support different levels of access (dev, stage, pre-release, live)
![Page 15: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/15.jpg)
15
Store passwords in Connection Strings? No Not all passwords are
connection strings Hard to protect and
retrieve later Sometimes have to
connect to the server
![Page 16: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/16.jpg)
Solution: Password Management
![Page 17: Security misconfiguration](https://reader035.fdocuments.in/reader035/viewer/2022062522/5876db661a28ab1d238b6e71/html5/thumbnails/17.jpg)
17
Password Management
Live demo