Security Misconfiguration Tryhackme Owas Top 10 |Owasp Top 10 Security Misconfiguration| Hackersadda

Опубликовано: 10 Август 2020
на канале: Hackers Adda
107
2

Telegram channel - https://t.me/hackinglivein this video


 i explained what is security misconfiguration and how to exploit this vulnerability in this i mainly focused on a single misconfiguration that is Default Password which is given in the tryhackme machine Security Misconfiguration




Security Misconfigurations are distinct from the other Top 10 vulnerabilities, because they occur when security could have been configured properly but was not.Security misconfigurations include: Poorly configured permissions on cloud services, like S3 buckets Having unnecessary features enabled, like services, pages, accounts or privileges Default accounts with unchanged passwords Error messages that are overly detailed and allow an attacker to find out more about the system Not using HTTP security headers, or revealing too much detail in the Server: HTTP headerThis vulnerability can often lead to more vulnerabilities, such as default credentials giving you access to sensitive data, XXE or command injection on admin pages.For more info, I recommend having a look at the OWASP top 10 entry for Security Misconfiguration


Default Passwords

Specifically, this VM focusses on default passwords. These are a specific example of a security misconfiguration. You could, and should, change any default passwords but people often don't.It's particularly common in embedded and Internet of Things devices, and much of the time the owners don't change these passwords.It's easy to imagine the risk of default credentials from an attacker's point of view. Being able to gain access to admin dashboards, services designed for system administrators or manufacturers, or even network infrastructure could be incredibly useful in attacking a business. From data exposure to easy RCE, the effects of default credentials can be severe.In October 2016, Dyn (a DNS provider) was taken offline by one of the most memorable DDoS attacks of the past 10 years. The flood of traffic came mostly from Internet of Things and networking devices like routers and modems, infected by the Mirai malware.How did the malware take over the systems? Default passwords. The malware had a list of 63 username/password pairs, and attempted to log in to exposed telnet services.The DDoS attack was notable because it took many large websites and services offline. Amazon, Twitter, Netflix, GitHub, Xbox Live, PlayStation Network, and many more services went offline for several hours in 3 waves of DDoS attacks on Dyn.


Смотрите видео Security Misconfiguration Tryhackme Owas Top 10 |Owasp Top 10 Security Misconfiguration| Hackersadda онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь Hackers Adda 10 Август 2020, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 10 раз и оно понравилось людям.