This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Template:OWASP Secure Configuration Guide"
m (→Description) |
(→How to test) |
||
(One intermediate revision by the same user not shown) | |||
Line 22: | Line 22: | ||
%ProductName% allows unauthorized attacker to list all users of the system ... | %ProductName% allows unauthorized attacker to list all users of the system ... | ||
− | // Detailed description of the impact. Is it enabled by default? | + | // Detailed description of the impact. Is it enabled by default? Vulnerable versions. |
==== How to test ==== | ==== How to test ==== | ||
Line 28: | Line 28: | ||
In order to test for %Misconfiguration_1%, one should ... | In order to test for %Misconfiguration_1%, one should ... | ||
− | // Please include the screenshots and widely known tools/scanners! | + | // Proof-of-concept here. Please include the screenshots and widely known tools/scanners! |
==== Remediation ==== | ==== Remediation ==== |
Latest revision as of 09:47, 8 December 2014
Secure Configuration Guide page structure is presented below. Please use the template to make the Guide more clean and unified.
Summary
A detailed description of the product (can be taken from the official website)
Common Misconfigurations
Misconfiguration 1
Description
%ProductName% allows unauthorized attacker to list all users of the system ...
// Detailed description of the impact. Is it enabled by default? Vulnerable versions.
How to test
In order to test for %Misconfiguration_1%, one should ...
// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!
Remediation
Initial/common value of parameter "listUsers" from config.xml is set to "true".
To assess the vulnerability it is enough to change the value to false:
<security> <listUsers>false</listUsers> </security>
Misconfiguration 2
...
References
http://official.documentation/documentation.pdf
// please also include links to already existing OWASP pages!