[OWASP-TESTING] OWASP WAPT submission
daniel.cuthbert at owasp.org
Thu Aug 11 10:22:06 EDT 2005
Im in the same camp on this one, if there is no DIRECT security risk,
then its not a security related issue.
Ive seen too many "conslutancies" who make a css.bak file high risk
as some tool/paper said it was
On 11 Aug 2005, at 13:36, Curphey, Mark wrote:
> If it doesn't have a vulnerability why is it a security issue ? If it
> reveals information then that's a vulnerability.
> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez at germinus.com]
> Sent: Thursday, August 11, 2005 7:19 AM
> To: Curphey, Mark
> Cc: Mauro Bregolin; Daniel Cuthbert; owasp-
> testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] OWASP WAPT submission
> Curphey, Mark wrote:
>> Backup files - pet hate. Who cares if there is a sample file
>> UNLESS it has a vulnerability. Needs to be made clear to stop the
> It does not need to have a vulnerability to be a security issue. Think
> of sensitive information being disclosed that can be used to attack
> other elements of the web server architecture (sample: valid ftp users
> in log files) or of vulnerable code that has been backup in the same
> directory before patching it.
>> mongerers ;-) Also I think its important to explain the 404 issues
>> why Nikto and tools like it usually report so many false positives.
> Most tools (Nikto and Nessus) have tools to _try_ to detect these 404
> issues. They are not perfect and that's why they have both false
> positivies and false negatives. In any case, the problem with
> unreferenced files is akin to brute force attacks, there's just too
> ways to name backup files and you will not pick all of them. It's
> better to just browse the web server directory and compare either with
> web server logs, with a web server map generated with a crawler or
> analysing the last access timestamps.
> It's even better if you can do this through a remote code execution
> through another vulnerability (happened recently to me in an pen-test)
> or if you can retrieve the list of files in the server through an
> different server (compromise an unsecure ftp server that was at some
> point used to upload files to the web server and check its logs).
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> Agile & Plan-Driven Development * Managing Projects & Teams *
> Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
More information about the Owasp-testing