This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Secure Configuration Guide"

From OWASP
Jump to: navigation, search
(6. Crypto misconfiguration)
(current status)
 
(8 intermediate revisions by 2 users not shown)
Line 19: Line 19:
 
== 2. Web servers misconfiguration ==
 
== 2. Web servers misconfiguration ==
  
'''[[SCG_WS_Apache|2.1. Apache]]'''
+
'''[[SCG_WS_Apache|2.1. Apache]]''' - started
  
'''[[SCG_WS_IIS|2.2. IIS]]'''
+
'''[[SCG_WS_IIS|2.2. IIS]]''' - started
  
'''[[SCG_WS_nginx|2.3. nginx]]'''
+
'''[[SCG_WS_nginx|2.3. nginx]]''' - started
  
'''[[SCG_WS_GWS|2.4. GWS]]'''
+
'''[[SCG_WS_GWS|2.4. GWS]]''' - NOT STARTED
  
'''[[SCG_WS_IBM|2.5. IBM HTTP Server]]'''
+
'''[[SCG_WS_IBM|2.5. IBM HTTP Server]]''' - started
 +
 
 +
'''[[SCG_WS_LIGHTTPD|2.6 lighttpd]]''' - NOT STARTED
 +
 
 +
'''[[SCG_WS_OPENBSD_HTTPD|2.7 New OpenBSD HTTPD Webserver]]''' - started
  
 
== 3. Application servers misconfiguration ==
 
== 3. Application servers misconfiguration ==
  
'''[[SCG_AS_Tomcat|3.1. Apache Tomcat]]'''
+
'''[[SCG_AS_Tomcat|3.1. Apache Tomcat]]''' - NOT STARTED
  
'''[[SCG_AS_Borland|3.2. Borland Enterprise Server]]'''
+
'''[[SCG_AS_Borland|3.2. Borland Enterprise Server]]''' - NOT STARTED
  
'''[[SCG_AS_ColdFusion|3.3. ColdFusion]]'''  
+
'''[[SCG_AS_ColdFusion|3.3. ColdFusion]]''' - NOT STARTED
  
'''[[SCG_AS_WebSphere|3.4. IBM WebSphere Application Server]]'''
+
'''[[SCG_AS_WebSphere|3.4. IBM WebSphere Application Server]]''' - NOT STARTED
  
'''[[SCG_AS_JBoss|3.5. JBoss Enterprise Application Platform]]'''
+
'''[[SCG_AS_JBoss|3.5. JBoss Enterprise Application Platform]]''' - NOT STARTED
  
'''[[SCG_AS_Jetty|3.6. Jetty]]'''
+
'''[[SCG_AS_Jetty|3.6. Jetty]]''' - NOT STARTED
  
'''[[SCG_AS_NetWeaver|3.7. SAP NetWeaver Application Server]]'''
+
'''[[SCG_AS_NetWeaver|3.7. SAP NetWeaver Application Server]]''' - NOT STARTED
  
'''[[SCG_AS_Oracle|3.8. Oracle Application Server]]'''
+
'''[[SCG_AS_Oracle|3.8. Oracle Application Server]]''' - NOT STARTED
  
'''[[SCG_AS_WebLogic|3.9. Oracle WebLogic Server]]'''
+
'''[[SCG_AS_WebLogic|3.9. Oracle WebLogic Server]]''' - NOT STARTED
  
'''[[SCG_AS_GlassFish|3.10. Oracle GlassFish Server]]'''
+
'''[[SCG_AS_GlassFish|3.10. Oracle GlassFish Server]]''' - NOT STARTED
  
 
== 4. Web frameworks misconfiguration ==
 
== 4. Web frameworks misconfiguration ==
  
'''[[SCG_WF_Struts|4.1. Apache Struts]]'''
+
'''[[SCG_WF_Struts|4.1. Apache Struts]]''' - NOT STARTED
  
'''[[SCG_WF_ASPNET|4.2. ASP.NET]]'''
+
'''[[SCG_WF_ASPNET|4.2. ASP.NET]]''' - completed, needs to be reviewed
  
'''[[SCG_WF_CakePHP|4.3. CakePHP]]'''
+
'''[[SCG_WF_CakePHP|4.3. CakePHP]]''' - NOT STARTED
  
'''[[SCG_WF_CodeIgniter|4.4. CodeIgniter]]'''
+
'''[[SCG_WF_CodeIgniter|4.4. CodeIgniter]]''' - NOT STARTED
  
'''[[SCG_WF_Django|4.5. Django]]'''
+
'''[[SCG_WF_Django|4.5. Django]]''' - started
  
'''[[SCG_WF_Lithium|4.6. Lithium]]'''
+
'''[[SCG_WF_Lithium|4.6. Lithium]]''' - NOT STARTED
  
'''[[SCG_WF_Rails|4.7. Ruby on Rails]]'''
+
'''[[SCG_WF_Rails|4.7. Ruby on Rails]]''' - NOT STARTED
  
'''[[SCG_WF_Spring|4.8. Spring]]'''
+
'''[[SCG_WF_Spring|4.8. Spring]]''' - NOT STARTED
  
'''[[SCG_WF_Symfony|4.9. Symfony]]'''
+
'''[[SCG_WF_Symfony|4.9. Symfony]]''' - NOT STARTED
  
'''[[SCG_WF_Zend|4.10. Zend]]'''
+
'''[[SCG_WF_Zend|4.10. Zend]]''' - NOT STARTED
  
 
== 5. CMS misconfiguration ==
 
== 5. CMS misconfiguration ==
  
'''[[SCG_CMS_Bitrix|5.1. Bitrix]]'''
+
'''[[SCG_CMS_Bitrix|5.1. Bitrix]]''' - NOT STARTED
  
'''[[SCG_CMS_Drupal|5.2. Drupal]]'''
+
'''[[SCG_CMS_Drupal|5.2. Drupal]]''' - started
  
'''[[SCG_CMS_Joomla|5.3. Joomla]]'''
+
'''[[SCG_CMS_Joomla|5.3. Joomla]]''' - started
  
'''[[SCG_CMS_Magento|5.4. Magento]]'''
+
'''[[SCG_CMS_Magento|5.4. Magento]]''' - NOT STARTED
  
'''[[SCG_CMS_OpenCart|5.5. OpenCart]]'''
+
'''[[SCG_CMS_OpenCart|5.5. OpenCart]]''' - NOT STARTED
  
'''[[SCG_CMS_phpBB|5.6. phpBB]]'''
+
'''[[SCG_CMS_phpBB|5.6. phpBB]]''' - NOT STARTED
  
'''[[SCG_CMS_Shopify|5.7. Shopify]]'''
+
'''[[SCG_CMS_Shopify|5.7. Shopify]]''' - NOT STARTED
  
'''[[SCG_CMS_TYPO3|5.8. TYPO3]]'''
+
'''[[SCG_CMS_TYPO3|5.8. TYPO3]]''' - NOT STARTED
  
'''[[SCG_CMS_vBulletin|5.9. vBulletin]]'''
+
'''[[SCG_CMS_vBulletin|5.9. vBulletin]]''' - NOT STARTED
  
'''[[SCG_CMS_Wordpress|5.10. Wordpress]]'''
+
'''[[SCG_CMS_Wordpress|5.10. Wordpress]]''' - started
  
 
== 6. Crypto misconfiguration  ==
 
== 6. Crypto misconfiguration  ==
  
'''6.1 SSL / TLS configuration'''
+
'''Hardening'''
 +
*[https://bettercrypto.org/static/applied-crypto-hardening.pdf Applied Crypto Hardening General Hardening]
 +
 
  
'''6.2 Cryptographic Password storage policy'''
+
'''Testing Crypto Config'''
 +
*[https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 Testing for SSL-TLS OWASP-CM-001]
 +
*[https://www.digicert.com/help/ Digicert Testing Suite]
 +
*[https://www.ssllabs.com/ssltest/index.html SSL Labs SSL Test]
  
'''6.3 to be complemented later'''
+
== 7. Services ==
 +
'''7.1. VNC''' - srsly.de ;)
  
== 7. Services ==
+
'''SSH'''
  
'''7.1 to be complemented later'''
+
'''RDP'''
  
 +
'''7.2 to be complemented later'''
  
 
== 8. Devices ==
 
== 8. Devices ==
  
'''[[SCG_D_BIGIP|8.1. BIG-IP]]'''  
+
'''[[SCG_D_BIGIP|8.1. BIG-IP]]''' - completed, to be reviewed
  
'''8.2. Routers'''  
+
'''8.2. Routers''' - create list!
  
'''8.3. Firewalls '''
+
'''8.3. Firewalls ''' - create list!
  
 
'''8.4. to be complemented later'''
 
'''8.4. to be complemented later'''

Latest revision as of 12:38, 24 May 2015

Welcome on the page of Secure Configuration Guide!

Project description is available here: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide

When editing the page, please follow the page structure, described in Template:OWASP Secure Configuration Guide

Table of Contents

1. Introduction

1.1. The OWASP Secure Configuration Guide

1.2. Misconfiguration. Defender's point

1.3. Misconfiguration. Attacker's point


2. Web servers misconfiguration

2.1. Apache - started

2.2. IIS - started

2.3. nginx - started

2.4. GWS - NOT STARTED

2.5. IBM HTTP Server - started

2.6 lighttpd - NOT STARTED

2.7 New OpenBSD HTTPD Webserver - started

3. Application servers misconfiguration

3.1. Apache Tomcat - NOT STARTED

3.2. Borland Enterprise Server - NOT STARTED

3.3. ColdFusion - NOT STARTED

3.4. IBM WebSphere Application Server - NOT STARTED

3.5. JBoss Enterprise Application Platform - NOT STARTED

3.6. Jetty - NOT STARTED

3.7. SAP NetWeaver Application Server - NOT STARTED

3.8. Oracle Application Server - NOT STARTED

3.9. Oracle WebLogic Server - NOT STARTED

3.10. Oracle GlassFish Server - NOT STARTED

4. Web frameworks misconfiguration

4.1. Apache Struts - NOT STARTED

4.2. ASP.NET - completed, needs to be reviewed

4.3. CakePHP - NOT STARTED

4.4. CodeIgniter - NOT STARTED

4.5. Django - started

4.6. Lithium - NOT STARTED

4.7. Ruby on Rails - NOT STARTED

4.8. Spring - NOT STARTED

4.9. Symfony - NOT STARTED

4.10. Zend - NOT STARTED

5. CMS misconfiguration

5.1. Bitrix - NOT STARTED

5.2. Drupal - started

5.3. Joomla - started

5.4. Magento - NOT STARTED

5.5. OpenCart - NOT STARTED

5.6. phpBB - NOT STARTED

5.7. Shopify - NOT STARTED

5.8. TYPO3 - NOT STARTED

5.9. vBulletin - NOT STARTED

5.10. Wordpress - started

6. Crypto misconfiguration

Hardening


Testing Crypto Config

7. Services

7.1. VNC - srsly.de ;)

SSH

RDP

7.2 to be complemented later

8. Devices

8.1. BIG-IP - completed, to be reviewed

8.2. Routers - create list!

8.3. Firewalls - create list!

8.4. to be complemented later