[OWASP-TESTING] OWASP WAPT submission

Curphey, Mark mark.curphey at foundstone.com
Thu Aug 11 08:36:27 EDT 2005


If it doesn't have a vulnerability why is it a security issue ? If it
reveals information then that's a vulnerability.  

-----Original Message-----
From: Javier Fernandez-Sanguino [mailto:jfernandez at germinus.com] 
Sent: Thursday, August 11, 2005 7:19 AM
To: Curphey, Mark
Cc: Mauro Bregolin; Daniel Cuthbert; owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] OWASP WAPT submission

Curphey, Mark wrote:

>  
> Backup files - pet hate. Who cares if there is a sample file installed

> UNLESS it has a vulnerability. Needs to be made clear to stop the 
> scare

It does not need to have a vulnerability to be a security issue. Think
  of sensitive information being disclosed that can be used to attack
other elements of the web server architecture (sample: valid ftp users
in log files) or of vulnerable code that has been backup in the same
directory before patching it.

> mongerers ;-) Also I think its important to explain the 404 issues and

> why Nikto and tools like it usually report so many false positives.

Most tools (Nikto and Nessus) have tools to _try_ to detect these 404
issues. They are not perfect and that's why they have both false
positivies and false negatives. In any case, the problem with
unreferenced files is akin to brute force attacks, there's just too many
ways to name backup files and you will not pick all of them. It's plain
better to just browse the web server directory and compare either with
web server logs, with a web server map generated with a crawler or
analysing the last access timestamps.

It's even better if you can do this through a remote code execution
through another vulnerability (happened recently to me in an pen-test)
or if you can retrieve the list of files in the server through an
different server (compromise an unsecure ftp server that was at some
point used to upload files to the web server and check its logs).

:-)

Regards

Javier





More information about the Owasp-testing mailing list