This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Secure Configuration Guide"
Timo.goosen (talk | contribs) (→2. Web servers misconfiguration) |
(current status) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 19: | Line 19: | ||
== 2. Web servers misconfiguration == | == 2. Web servers misconfiguration == | ||
− | '''[[SCG_WS_Apache|2.1. Apache]]''' | + | '''[[SCG_WS_Apache|2.1. Apache]]''' - started |
− | '''[[SCG_WS_IIS|2.2. IIS]]''' | + | '''[[SCG_WS_IIS|2.2. IIS]]''' - started |
− | '''[[SCG_WS_nginx|2.3. nginx]]''' | + | '''[[SCG_WS_nginx|2.3. nginx]]''' - started |
− | '''[[SCG_WS_GWS|2.4. GWS]]''' | + | '''[[SCG_WS_GWS|2.4. GWS]]''' - NOT STARTED |
− | '''[[SCG_WS_IBM|2.5. IBM HTTP Server]]''' | + | '''[[SCG_WS_IBM|2.5. IBM HTTP Server]]''' - started |
− | '''[[SCG_WS_LIGHTTPD lighttpd]]''' | + | '''[[SCG_WS_LIGHTTPD|2.6 lighttpd]]''' - NOT STARTED |
− | '''[[SCG_WS_OPENBSD_HTTPD New OpenBSD HTTPD Webserver]]''' | + | '''[[SCG_WS_OPENBSD_HTTPD|2.7 New OpenBSD HTTPD Webserver]]''' - started |
== 3. Application servers misconfiguration == | == 3. Application servers misconfiguration == | ||
− | '''[[SCG_AS_Tomcat|3.1. Apache Tomcat]]''' | + | '''[[SCG_AS_Tomcat|3.1. Apache Tomcat]]''' - NOT STARTED |
− | '''[[SCG_AS_Borland|3.2. Borland Enterprise Server]]''' | + | '''[[SCG_AS_Borland|3.2. Borland Enterprise Server]]''' - NOT STARTED |
− | '''[[SCG_AS_ColdFusion|3.3. ColdFusion]]''' | + | '''[[SCG_AS_ColdFusion|3.3. ColdFusion]]''' - NOT STARTED |
− | '''[[SCG_AS_WebSphere|3.4. IBM WebSphere Application Server]]''' | + | '''[[SCG_AS_WebSphere|3.4. IBM WebSphere Application Server]]''' - NOT STARTED |
− | '''[[SCG_AS_JBoss|3.5. JBoss Enterprise Application Platform]]''' | + | '''[[SCG_AS_JBoss|3.5. JBoss Enterprise Application Platform]]''' - NOT STARTED |
− | '''[[SCG_AS_Jetty|3.6. Jetty]]''' | + | '''[[SCG_AS_Jetty|3.6. Jetty]]''' - NOT STARTED |
− | '''[[SCG_AS_NetWeaver|3.7. SAP NetWeaver Application Server]]''' | + | '''[[SCG_AS_NetWeaver|3.7. SAP NetWeaver Application Server]]''' - NOT STARTED |
− | '''[[SCG_AS_Oracle|3.8. Oracle Application Server]]''' | + | '''[[SCG_AS_Oracle|3.8. Oracle Application Server]]''' - NOT STARTED |
− | '''[[SCG_AS_WebLogic|3.9. Oracle WebLogic Server]]''' | + | '''[[SCG_AS_WebLogic|3.9. Oracle WebLogic Server]]''' - NOT STARTED |
− | '''[[SCG_AS_GlassFish|3.10. Oracle GlassFish Server]]''' | + | '''[[SCG_AS_GlassFish|3.10. Oracle GlassFish Server]]''' - NOT STARTED |
== 4. Web frameworks misconfiguration == | == 4. Web frameworks misconfiguration == | ||
− | '''[[SCG_WF_Struts|4.1. Apache Struts]]''' | + | '''[[SCG_WF_Struts|4.1. Apache Struts]]''' - NOT STARTED |
− | '''[[SCG_WF_ASPNET|4.2. ASP.NET]]''' | + | '''[[SCG_WF_ASPNET|4.2. ASP.NET]]''' - completed, needs to be reviewed |
− | '''[[SCG_WF_CakePHP|4.3. CakePHP]]''' | + | '''[[SCG_WF_CakePHP|4.3. CakePHP]]''' - NOT STARTED |
− | '''[[SCG_WF_CodeIgniter|4.4. CodeIgniter]]''' | + | '''[[SCG_WF_CodeIgniter|4.4. CodeIgniter]]''' - NOT STARTED |
− | '''[[SCG_WF_Django|4.5. Django]]''' | + | '''[[SCG_WF_Django|4.5. Django]]''' - started |
− | '''[[SCG_WF_Lithium|4.6. Lithium]]''' | + | '''[[SCG_WF_Lithium|4.6. Lithium]]''' - NOT STARTED |
− | '''[[SCG_WF_Rails|4.7. Ruby on Rails]]''' | + | '''[[SCG_WF_Rails|4.7. Ruby on Rails]]''' - NOT STARTED |
− | '''[[SCG_WF_Spring|4.8. Spring]]''' | + | '''[[SCG_WF_Spring|4.8. Spring]]''' - NOT STARTED |
− | '''[[SCG_WF_Symfony|4.9. Symfony]]''' | + | '''[[SCG_WF_Symfony|4.9. Symfony]]''' - NOT STARTED |
− | '''[[SCG_WF_Zend|4.10. Zend]]''' | + | '''[[SCG_WF_Zend|4.10. Zend]]''' - NOT STARTED |
== 5. CMS misconfiguration == | == 5. CMS misconfiguration == | ||
− | '''[[SCG_CMS_Bitrix|5.1. Bitrix]]''' | + | '''[[SCG_CMS_Bitrix|5.1. Bitrix]]''' - NOT STARTED |
− | '''[[SCG_CMS_Drupal|5.2. Drupal]]''' | + | '''[[SCG_CMS_Drupal|5.2. Drupal]]''' - started |
− | '''[[SCG_CMS_Joomla|5.3. Joomla]]''' | + | '''[[SCG_CMS_Joomla|5.3. Joomla]]''' - started |
− | '''[[SCG_CMS_Magento|5.4. Magento]]''' | + | '''[[SCG_CMS_Magento|5.4. Magento]]''' - NOT STARTED |
− | '''[[SCG_CMS_OpenCart|5.5. OpenCart]]''' | + | '''[[SCG_CMS_OpenCart|5.5. OpenCart]]''' - NOT STARTED |
− | '''[[SCG_CMS_phpBB|5.6. phpBB]]''' | + | '''[[SCG_CMS_phpBB|5.6. phpBB]]''' - NOT STARTED |
− | '''[[SCG_CMS_Shopify|5.7. Shopify]]''' | + | '''[[SCG_CMS_Shopify|5.7. Shopify]]''' - NOT STARTED |
− | '''[[SCG_CMS_TYPO3|5.8. TYPO3]]''' | + | '''[[SCG_CMS_TYPO3|5.8. TYPO3]]''' - NOT STARTED |
− | '''[[SCG_CMS_vBulletin|5.9. vBulletin]]''' | + | '''[[SCG_CMS_vBulletin|5.9. vBulletin]]''' - NOT STARTED |
− | '''[[SCG_CMS_Wordpress|5.10. Wordpress]]''' | + | '''[[SCG_CMS_Wordpress|5.10. Wordpress]]''' - started |
== 6. Crypto misconfiguration == | == 6. Crypto misconfiguration == | ||
− | ''' | + | '''Hardening''' |
+ | *[https://bettercrypto.org/static/applied-crypto-hardening.pdf Applied Crypto Hardening General Hardening] | ||
− | |||
− | ''' | + | '''Testing Crypto Config''' |
− | + | *[https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 Testing for SSL-TLS OWASP-CM-001] | |
− | + | *[https://www.digicert.com/help/ Digicert Testing Suite] | |
+ | *[https://www.ssllabs.com/ssltest/index.html SSL Labs SSL Test] | ||
+ | == 7. Services == | ||
'''7.1. VNC''' - srsly.de ;) | '''7.1. VNC''' - srsly.de ;) | ||
Line 119: | Line 121: | ||
== 8. Devices == | == 8. Devices == | ||
− | '''[[SCG_D_BIGIP|8.1. BIG-IP]]''' | + | '''[[SCG_D_BIGIP|8.1. BIG-IP]]''' - completed, to be reviewed |
− | '''8.2. Routers''' | + | '''8.2. Routers''' - create list! |
− | '''8.3. Firewalls ''' | + | '''8.3. Firewalls ''' - create list! |
'''8.4. to be complemented later''' | '''8.4. to be complemented later''' |
Latest revision as of 12:38, 24 May 2015
Welcome on the page of Secure Configuration Guide!
Project description is available here: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
When editing the page, please follow the page structure, described in Template:OWASP Secure Configuration Guide
Table of Contents
1. Introduction
1.1. The OWASP Secure Configuration Guide
1.2. Misconfiguration. Defender's point
1.3. Misconfiguration. Attacker's point
2. Web servers misconfiguration
2.1. Apache - started
2.2. IIS - started
2.3. nginx - started
2.4. GWS - NOT STARTED
2.5. IBM HTTP Server - started
2.6 lighttpd - NOT STARTED
2.7 New OpenBSD HTTPD Webserver - started
3. Application servers misconfiguration
3.1. Apache Tomcat - NOT STARTED
3.2. Borland Enterprise Server - NOT STARTED
3.3. ColdFusion - NOT STARTED
3.4. IBM WebSphere Application Server - NOT STARTED
3.5. JBoss Enterprise Application Platform - NOT STARTED
3.6. Jetty - NOT STARTED
3.7. SAP NetWeaver Application Server - NOT STARTED
3.8. Oracle Application Server - NOT STARTED
3.9. Oracle WebLogic Server - NOT STARTED
3.10. Oracle GlassFish Server - NOT STARTED
4. Web frameworks misconfiguration
4.1. Apache Struts - NOT STARTED
4.2. ASP.NET - completed, needs to be reviewed
4.3. CakePHP - NOT STARTED
4.4. CodeIgniter - NOT STARTED
4.5. Django - started
4.6. Lithium - NOT STARTED
4.7. Ruby on Rails - NOT STARTED
4.8. Spring - NOT STARTED
4.9. Symfony - NOT STARTED
4.10. Zend - NOT STARTED
5. CMS misconfiguration
5.1. Bitrix - NOT STARTED
5.2. Drupal - started
5.3. Joomla - started
5.4. Magento - NOT STARTED
5.5. OpenCart - NOT STARTED
5.6. phpBB - NOT STARTED
5.7. Shopify - NOT STARTED
5.8. TYPO3 - NOT STARTED
5.9. vBulletin - NOT STARTED
5.10. Wordpress - started
6. Crypto misconfiguration
Hardening
Testing Crypto Config
7. Services
7.1. VNC - srsly.de ;)
SSH
RDP
7.2 to be complemented later
8. Devices
8.1. BIG-IP - completed, to be reviewed
8.2. Routers - create list!
8.3. Firewalls - create list!
8.4. to be complemented later