This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Top 10 2014-I8 Insufficient Security Configurability
From OWASP
Revision as of 00:21, 26 June 2014 by Craig Smith (talk | contribs)
| Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
|---|---|---|---|---|---|
| Application Specific | Exploitability EASY |
Prevalence COMMON |
Detectability AVERAGE |
Impact SEVERE |
Application / Business Specific |
| Consider anyone who has access to the device. | Attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device. Attack could potentially come from any user of the device whether intentional or accidental. | Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or forcing the use of strong passwords. Manual review of the web interface and its available options will review these deficiencies. | Insufficient security configurability could lead to compromise of the device whether intentional or accidental. | Data could be stolen or modified and devices taken control of. Could your users be harmed? Could your brand be harmed? | |
|
Is My Security Configurability Sufficient?
|
How Do I Improve My Security Configurability?
Ensuring a secure mobile interface requires:
|
|
Example Attack Scenarios
Scenario #1: The interface only requires simple passwords. Example Scenario #2: Username and password are poorly protected when transmitted over the network. Example In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.
|
References
OWASP External |
