[OWASP-TESTING] OWASP WAPT submission

Daniel Cuthbert daniel.cuthbert at owasp.org
Thu Aug 11 10:22:06 EDT 2005


Im in the same camp on this one, if there is no DIRECT security risk,  
then its not a security related issue.
Ive seen too many "conslutancies" who make a css.bak file high risk  
as some tool/paper said it was


On 11 Aug 2005, at 13:36, Curphey, Mark wrote:

> If it doesn't have a vulnerability why is it a security issue ? If it
> reveals information then that's a vulnerability.
>
> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez at germinus.com]
> Sent: Thursday, August 11, 2005 7:19 AM
> To: Curphey, Mark
> Cc: Mauro Bregolin; Daniel Cuthbert; owasp- 
> testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] OWASP WAPT submission
>
> Curphey, Mark wrote:
>
>
>>
>> Backup files - pet hate. Who cares if there is a sample file  
>> installed
>>
>
>
>> UNLESS it has a vulnerability. Needs to be made clear to stop the
>> scare
>>
>
> It does not need to have a vulnerability to be a security issue. Think
>   of sensitive information being disclosed that can be used to attack
> other elements of the web server architecture (sample: valid ftp users
> in log files) or of vulnerable code that has been backup in the same
> directory before patching it.
>
>
>> mongerers ;-) Also I think its important to explain the 404 issues  
>> and
>>
>
>
>> why Nikto and tools like it usually report so many false positives.
>>
>
> Most tools (Nikto and Nessus) have tools to _try_ to detect these 404
> issues. They are not perfect and that's why they have both false
> positivies and false negatives. In any case, the problem with
> unreferenced files is akin to brute force attacks, there's just too  
> many
> ways to name backup files and you will not pick all of them. It's  
> plain
> better to just browse the web server directory and compare either with
> web server logs, with a web server map generated with a crawler or
> analysing the last access timestamps.
>
> It's even better if you can do this through a remote code execution
> through another vulnerability (happened recently to me in an pen-test)
> or if you can retrieve the list of files in the server through an
> different server (compromise an unsecure ftp server that was at some
> point used to upload files to the web server and check its logs).
>
> :-)
>
> Regards
>
> Javier
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *  
> Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/ 
> bsce5sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>





More information about the Owasp-testing mailing list