Security Misconfiguration Introduction

00:00

Hello. My name's I happily Welcome to the overview off Secure code in

00:05

Security, Miss Conflagration Vulnerabilities is actually the number six on the list of the top 10 0 ops vulnerabilities for 2000 and 17.

00:14

So, in security, Miss configuration of vulnerability, we're gonna be discussing the intro the causes. The scenario imparts prevention on some questions. So cigarette, miss conflagration vulnerability can actually be attributed to meet our new configuration out for or badly don't configuration

00:30

the ACA's usually launched without access your defaults account

00:35

whether or not they can access your protect their files on directorates when I come access badly crafted Aargh image error messages. So all these three things can actually allow the other cats again or not The rest outside

00:48

or knowledge of the system doesn't always do in ethical hacking. You use the default accounts on protective fans on their entries,

00:55

badly crafted air images to gain more knowledge of the system, something and sometimes to gain on the authorized access into the system. Funny. No, it's not just limited to the application level, it zapping cable even on the next level.

01:07

They are British system level on. Did it up is level. So all of this might actually be careful before you push your put it into production.

01:15

Now, what causes off security means conferred upon our beauty. One of them is the use of defaults accounts on Sabbath, the tire business or prison systems on network. The fact is that when all these things ships and newly, they are actually ships with defaults credentials the forces on a default password

01:34

on because we are most of the time we have

01:36

but or four credential my message. Stemming, Please. We don't want to change the default on. We just treat most of the time before push our application into production. We don't remember to change it or we just feel for convenience sake so that we don't forget whatever we change it. So we just push. It's like that into production on attack us.

01:57

Obama. Rounds of Jake now finds out out such defaults are counts are still in existence. Andi want to exploit it? I don't want his opera that that file directories that is this where develop us actually developed. The applications will die, including on e deck speak. So whoever runs the application from the roots die a tree

02:13

actually has in least off all the files in that petition system.

02:19

I want the other a list of all the facts in the application system. Then they simply monsieur has the access to the source sports

02:24

about from the source. Schools there could be ordered to say information like application credentials there. It's obvious credentials, nets or credentials that used in the development of the application. So that's a very, very serious kissed that other one. His confirmation messages in error messages, diskettes, users.

02:43

That's it. This is where users

02:46

end up wrong information or a roux knows information. Andi simply crosses the generation off arrows from the application. Now, most of this era messages actually come with several importance on dhe. On information that actually meant to be confidential

03:06

information about the detail is information about the natural information about the operates assistant actually,

03:13

in the air, a message. So some of the time, if Ana Tackle is handsome, this actually gets all of these copies, then asked, I use the need to exploit the system. Now we're going to take a look at our some of these things I exploit. They went to take a look at out. We use default accounts

03:31

to get into my secure Sava. We're going to see our own protective on Protect that foul. The actress can actually come up. We're going to see our configuration messages and error messages to spit to use us

03:44

actually comes to be. So let's take a look at it. 1st 1 where we want to get into the

03:50

my SQL sop up somebody to call up Sandy, Sandy comes ups on with Jangi entry to ready my SQL east. So the dying tree here will be C

04:02

did some on my SQL

04:08

So from my sq allowed the bean

04:11

So I'll just copy the directory on country. It's a missed it there, So I can't change that director. So once I get into the day to the next one is for me to just do my sq old dome.

04:26

Then my nose you were just so investigates it. For example,

04:31

somebody leaves this summer. We're all the better business. Andi has not changed the default credentials like has not changed the thing the defaults use earning, which is roots, then for password, which is also empty. So I'm just going to copy all

04:50

be retarded disease.

04:55

There's going to be followed. Not all big heart disease.

04:59

No, I need Yeah, it's gonna be these.

05:06

So you are these days.

05:15

So the next thing would be to get the guy actually wants to compete. Not so I don't get to get the dietary here because I wanted to be dumped on the deck. Stop. So from the desktop, I just copied to my flash on running. Well, it's It's

05:31

well, I'm not strange to be about boy here, So let's see how that goes. So this is it,

05:39

then. Here you have these. They can simply give it the name lessee stolen with hobbies.

05:46

So here, let's run it. It's asking me for the possible tow possiblities empty because I know it is the default. So it is the same everywhere. So what's it is default Password is still going to be answered so

06:00

that psycho's now assets is not all the detail business on this system are being copied to the text up. So if we think you can't say it's what we call it stolen, it's obvious this is just it now.

06:15

Hey, once you open needs, you guys simply open needs

06:20

open it with your notes part. This is the bottom off. All the debts are bees. All the detail business on the system on it simply means I can't just go away with it. But if you had actually changed the default from route, if they change the password from empty to something else,

06:39

this wouldn't have been able to are not

06:42

so. It's such a very, very bad thing. So I you know, there might be very, very important information into the type it's on. The guy just makes just cozy with that. Does the first inari now on adopting we can also look at is, um, protect their howls,

06:59

Um, protect their file directories? I talked about it earlier.

07:02

I'm on application. Just a sample application. There's no index speech. As you can see, there's only been drawn through 34 They're supposed to be index dot PHP. So bad time you run this application from the road actual without any off this Iran it is, or you're going to get

07:20

not keys. You can see all the applications are being leased. It

07:25

or you just need to do is open each of them a copy in court, the source codes on their you high. Don't be So can is there only with that. So that's our last scenario. Then I'm going to give you the last but not least scenario in this case here.

07:41

We caught the week up that would be using for the story off for the cause, but the basics off secure. So he went to log in a

07:49

three. Ben wants a baby.

07:53

We're going to look at the kind of error you reduce our messages that generated

07:59

for user's. So here I am looking at security, Miss Configuration Era messaging.

08:05

So here I'm just going to attack something that their rooms like, and he's dying. You can box error like want to play. So once I clicks off me, you can see this is the air. A message that is generator for the user use consists leg, all from user. That's more like the query.

08:22

Now it simply means there's a table. Indeed, it's Our business is called yousa.

08:28

Then there's a column in the database that is called Jews on him. As you can see, you can see I'm using this to get more knowledge of the system. Now I know there's a guitar is called This table name called Design Did. It's herpes on there's a column name called You Sandy. There's an article on in called Castle

08:45

and I can see from this era message that

08:48

is actually the application Developers actually used my obscure the Tardis. Then I can also see Peter Beauty, which is in Colombia, on the whole lot off things with these, I have some some information, some snippets of information about assistant. But

09:07

is this supposed to be this tree left? Take a look at how we should be the kind of error message

09:11

that should Come on. Now I'm going to do the same here. I have one degree. I click on this and I could go on down. So I picks on me. You can see this is the kind of Aramis it dash imaginary that not the wonder where supposed everything in the desert bees or in some things about it. It's obvious. Now look at this. We are imputed. Aargh!

09:31

Your input on this strange Carter,

09:33

Kindly remove them. I'm trying. And now in pewter of the type of the Arab, your input contain strange guardians. What really happens to my one really a paucity impute, then the advance on what to do. This is a typical kind of message that should be submitted or generate that for user's knots, messages that were exposed it it's obvious.

09:54

So that's those are examples. Those are scenarios

09:58

where this con security miss contrary shock and actually coming now what? That in parts of security, Miss Conflagration one is unauthorized access. The system did that just like we saw.

10:09

I was able to back up all the detail business in the system on all the rest accents without giving without anybody giving me any access depart that I can actually copy. That's in my USB. Our only real send 6%. It's my in box, and I don't want his system compromised on in sauce poured revelation.

10:28

Just like what happened in the kiss off

10:31

the Revolution off all the files and the dying trees. Those are some of the parts. Then how can you actually prevent some off this thing? I think the very 1st 1 day, his systems at me after you must have developed the application. You need to look at everything you need to do to

10:50

prevents vulnerability. Ince's

10:52

everything you need to do to keep the system well happened so you can actually come up with an S o p. What we call this man out of prison procedure on are so great about it. So anybody communion to the organization can actually lend us another one is carefully lending out so crafts error messages for user's not just,

11:09

um, bringing up any kind of error message, but carefully crafts in one

11:13

No. One is configuration management system had its periodic review, then coming up with the stringent policy on

11:22

out to prevent security. Miss Configuration. It's very, very good. So let's take a look at some of this police questions. Security, Miss configuration Vulnerability can be caused by dash. Except, yes, it can actually be caused by roots. Just like what we saw in my SQL. Now then use off default credentials.

11:41

Error messages, confidential Miss Configuration injection. We call beauty

11:45

injection One is rich off. This can not be on the part of security in this configuration. They got a system compromised, floored money, laundry, off course float. So that's the inside back. It's all right, Summer. Really. We've looked at the introduction to security, Miss Configuration

12:01

we talked about badly confit got Nets, work on bridges, systems on servers, and it's our business.

12:09

We also thought about some of the causes, like on protect that dying trees, default passwords. We talked about scenario. We looked at three scenarios than we thought. The body in parts like 16 compromise, then how you can prevent it by coming up with configuration stand out of prison procedures.