This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Secure Configuration Guide"

From OWASP
Jump to: navigation, search
m
(current status)
 
(21 intermediate revisions by 4 users not shown)
Line 3: Line 3:
 
Project description is available here: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
 
Project description is available here: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
  
 +
When editing the page, please follow the page structure, described in [[Template:OWASP Secure Configuration Guide]]
  
 +
= Table of Contents =
  
= Table of Contents =
 
  
 
== 1. Introduction ==
 
== 1. Introduction ==
 +
 
'''1.1. The OWASP Secure Configuration Guide'''
 
'''1.1. The OWASP Secure Configuration Guide'''
  
 
'''1.2. Misconfiguration. Defender's point'''
 
'''1.2. Misconfiguration. Defender's point'''
  
'''1.3. Misconfiguration. Attacker's point"
+
'''1.3. Misconfiguration. Attacker's point'''
 +
 
 +
 
 +
== 2. Web servers misconfiguration ==
 +
 
 +
'''[[SCG_WS_Apache|2.1. Apache]]''' - started
 +
 
 +
'''[[SCG_WS_IIS|2.2. IIS]]'''  - started
 +
 
 +
'''[[SCG_WS_nginx|2.3. nginx]]'''  - started
 +
 
 +
'''[[SCG_WS_GWS|2.4. GWS]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WS_IBM|2.5. IBM HTTP Server]]''' - started
 +
 
 +
'''[[SCG_WS_LIGHTTPD|2.6 lighttpd]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WS_OPENBSD_HTTPD|2.7 New OpenBSD HTTPD Webserver]]''' - started
 +
 
 +
== 3. Application servers misconfiguration ==
 +
 
 +
'''[[SCG_AS_Tomcat|3.1. Apache Tomcat]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_Borland|3.2. Borland Enterprise Server]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_ColdFusion|3.3. ColdFusion]]'''  - NOT STARTED
 +
 
 +
'''[[SCG_AS_WebSphere|3.4. IBM WebSphere Application Server]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_JBoss|3.5. JBoss Enterprise Application Platform]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_Jetty|3.6. Jetty]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_NetWeaver|3.7. SAP NetWeaver Application Server]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_Oracle|3.8. Oracle Application Server]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_WebLogic|3.9. Oracle WebLogic Server]]''' - NOT STARTED
 +
 
 +
'''[[SCG_AS_GlassFish|3.10. Oracle GlassFish Server]]''' - NOT STARTED
 +
 
 +
== 4. Web frameworks misconfiguration ==
 +
 
 +
'''[[SCG_WF_Struts|4.1. Apache Struts]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WF_ASPNET|4.2. ASP.NET]]''' - completed, needs to be reviewed
 +
 
 +
'''[[SCG_WF_CakePHP|4.3. CakePHP]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WF_CodeIgniter|4.4. CodeIgniter]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WF_Django|4.5. Django]]''' - started
 +
 
 +
'''[[SCG_WF_Lithium|4.6. Lithium]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WF_Rails|4.7. Ruby on Rails]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WF_Spring|4.8. Spring]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WF_Symfony|4.9. Symfony]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WF_Zend|4.10. Zend]]''' - NOT STARTED
 +
 
 +
== 5. CMS misconfiguration ==
 +
 
 +
'''[[SCG_CMS_Bitrix|5.1. Bitrix]]''' - NOT STARTED
 +
 
 +
'''[[SCG_CMS_Drupal|5.2. Drupal]]''' - started
 +
 
 +
'''[[SCG_CMS_Joomla|5.3. Joomla]]''' - started
 +
 
 +
'''[[SCG_CMS_Magento|5.4. Magento]]''' - NOT STARTED
 +
 
 +
'''[[SCG_CMS_OpenCart|5.5. OpenCart]]''' - NOT STARTED
 +
 
 +
'''[[SCG_CMS_phpBB|5.6. phpBB]]''' - NOT STARTED
 +
 
 +
'''[[SCG_CMS_Shopify|5.7. Shopify]]''' - NOT STARTED
 +
 
 +
'''[[SCG_CMS_TYPO3|5.8. TYPO3]]''' - NOT STARTED
 +
 
 +
'''[[SCG_CMS_vBulletin|5.9. vBulletin]]'''  - NOT STARTED
 +
 
 +
'''[[SCG_CMS_Wordpress|5.10. Wordpress]]''' - started
 +
 
 +
== 6. Crypto misconfiguration  ==
 +
 
 +
'''Hardening'''
 +
*[https://bettercrypto.org/static/applied-crypto-hardening.pdf Applied Crypto Hardening General Hardening]
 +
 
 +
 
 +
'''Testing Crypto Config'''
 +
*[https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 Testing for SSL-TLS OWASP-CM-001]
 +
*[https://www.digicert.com/help/ Digicert Testing Suite]
 +
*[https://www.ssllabs.com/ssltest/index.html SSL Labs SSL Test]
 +
 
 +
== 7. Services ==
 +
'''7.1. VNC''' - srsly.de ;)
 +
 
 +
'''SSH'''
 +
 
 +
'''RDP'''
 +
 
 +
'''7.2 to be complemented later'''
  
== 2. Common misconfigurations ==
+
== 8. Devices ==
'''2.1. Servers'''
 
  
'''2.2. Web frameworks'''
+
'''[[SCG_D_BIGIP|8.1. BIG-IP]]''' - completed, to be reviewed
  
'''2.3. Crypto'''
+
'''8.2. Routers''' - create list!
  
'''2.4. Services'''
+
'''8.3. Firewalls ''' - create list!
  
'''2.5. Devices'''
+
'''8.4. to be complemented later'''
  
  
  
 
[[Category:OWASP Project]]  [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
 
[[Category:OWASP Project]]  [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]

Latest revision as of 12:38, 24 May 2015

Welcome on the page of Secure Configuration Guide!

Project description is available here: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide

When editing the page, please follow the page structure, described in Template:OWASP Secure Configuration Guide

Table of Contents

1. Introduction

1.1. The OWASP Secure Configuration Guide

1.2. Misconfiguration. Defender's point

1.3. Misconfiguration. Attacker's point


2. Web servers misconfiguration

2.1. Apache - started

2.2. IIS - started

2.3. nginx - started

2.4. GWS - NOT STARTED

2.5. IBM HTTP Server - started

2.6 lighttpd - NOT STARTED

2.7 New OpenBSD HTTPD Webserver - started

3. Application servers misconfiguration

3.1. Apache Tomcat - NOT STARTED

3.2. Borland Enterprise Server - NOT STARTED

3.3. ColdFusion - NOT STARTED

3.4. IBM WebSphere Application Server - NOT STARTED

3.5. JBoss Enterprise Application Platform - NOT STARTED

3.6. Jetty - NOT STARTED

3.7. SAP NetWeaver Application Server - NOT STARTED

3.8. Oracle Application Server - NOT STARTED

3.9. Oracle WebLogic Server - NOT STARTED

3.10. Oracle GlassFish Server - NOT STARTED

4. Web frameworks misconfiguration

4.1. Apache Struts - NOT STARTED

4.2. ASP.NET - completed, needs to be reviewed

4.3. CakePHP - NOT STARTED

4.4. CodeIgniter - NOT STARTED

4.5. Django - started

4.6. Lithium - NOT STARTED

4.7. Ruby on Rails - NOT STARTED

4.8. Spring - NOT STARTED

4.9. Symfony - NOT STARTED

4.10. Zend - NOT STARTED

5. CMS misconfiguration

5.1. Bitrix - NOT STARTED

5.2. Drupal - started

5.3. Joomla - started

5.4. Magento - NOT STARTED

5.5. OpenCart - NOT STARTED

5.6. phpBB - NOT STARTED

5.7. Shopify - NOT STARTED

5.8. TYPO3 - NOT STARTED

5.9. vBulletin - NOT STARTED

5.10. Wordpress - started

6. Crypto misconfiguration

Hardening


Testing Crypto Config

7. Services

7.1. VNC - srsly.de ;)

SSH

RDP

7.2 to be complemented later

8. Devices

8.1. BIG-IP - completed, to be reviewed

8.2. Routers - create list!

8.3. Firewalls - create list!

8.4. to be complemented later