Javier Fernandez-Sanguino jfernandez at germinus.com
Thu Aug 11 07:19:02 EDT 2005

Curphey, Mark wrote:

> Backup files - pet hate. Who cares if there is a sample file installed 
> UNLESS it has a vulnerability. Needs to be made clear to stop the scare 

It does not need to have a vulnerability to be a security issue. Think 
  of sensitive information being disclosed that can be used to attack 
other elements of the web server architecture (sample: valid ftp users 
in log files) or of vulnerable code that has been backup in the same 
directory before patching it.

> mongerers ;-) Also I think its important to explain the 404 issues and 
> why Nikto and tools like it usually report so many false positives.

Most tools (Nikto and Nessus) have tools to _try_ to detect these 404 
issues. They are not perfect and that's why they have both false 
positivies and false negatives. In any case, the problem with 
unreferenced files is akin to brute force attacks, there's just too 
many ways to name backup files and you will not pick all of them. It's 
plain better to just browse the web server directory and compare 
either with web server logs, with a web server map generated with a 
crawler or analysing the last access timestamps.

It's even better if you can do this through a remote code execution 
through another vulnerability (happened recently to me in an pen-test) 
or if you can retrieve the list of files in the server through an 
different server (compromise an unsecure ftp server that was at some 
point used to upload files to the web server and check its logs).




More information about the Owasp-testing mailing list