[OWASP-TESTING] OWASP WAPT submission

Andrew van der Stock vanderaj at greebo.net
Wed Aug 17 20:54:44 EDT 2005


My view is that the backup files / sample files issue is about:

a) some backup files and many samples have security related problems
b) some samples change between versions allowing easy version  
fingerprinting
c) backup and old files obviate the reasons for using automated  
deployment. People are tempted to make local changes instead of re- 
deploying, and this makes the system over time practically impossible  
to recover or restore

All of those reasons increase the attack surface area for the  
application. If you let folks get into the habit of leaving files  
around, it has been my experience that they will leave the dangerous  
ones around just as often as they'll leave the safe ones around. I  
can't recall the number of times I see config.old or a zip file with  
a complete copy of the application. It's these files that give me the  
screeming heebiejeebies.

Unless I see formmail.pl or similar, I rate this exposure as low in  
my reviews, but as the fix is so easy and the habit as easy to get  
into, I always recommend the removal of these files. If you just say  
no all the time, the attack surface area is reduced for those few  
times when it really is a problem. We can't be there all the time.

thanks,
Andrew

On 12/08/2005, at 12:22 AM, Daniel Cuthbert wrote:

> Im in the same camp on this one, if there is no DIRECT security  
> risk, then its not a security related issue.
> Ive seen too many "conslutancies" who make a css.bak file high risk  
> as some tool/paper said it was
>
>
> On 11 Aug 2005, at 13:36, Curphey, Mark wrote:
>
>
>> If it doesn't have a vulnerability why is it a security issue ? If it
>> reveals information then that's a vulnerability.
>>
>> -----Original Message-----
>> From: Javier Fernandez-Sanguino [mailto:jfernandez at germinus.com]
>> Sent: Thursday, August 11, 2005 7:19 AM
>> To: Curphey, Mark
>> Cc: Mauro Bregolin; Daniel Cuthbert; owasp- 
>> testing at lists.sourceforge.net
>> Subject: Re: [OWASP-TESTING] OWASP WAPT submission
>>
>> Curphey, Mark wrote:
>>
>>
>>
>>>
>>> Backup files - pet hate. Who cares if there is a sample file  
>>> installed
>>>
>>>
>>
>>
>>
>>> UNLESS it has a vulnerability. Needs to be made clear to stop the
>>> scare
>>>
>>>
>>
>> It does not need to have a vulnerability to be a security issue.  
>> Think
>>   of sensitive information being disclosed that can be used to attack
>> other elements of the web server architecture (sample: valid ftp  
>> users
>> in log files) or of vulnerable code that has been backup in the same
>> directory before patching it.
>>
>>
>>
>>> mongerers ;-) Also I think its important to explain the 404  
>>> issues and
>>>
>>>
>>
>>
>>
>>> why Nikto and tools like it usually report so many false positives.
>>>
>>>
>>
>> Most tools (Nikto and Nessus) have tools to _try_ to detect these 404
>> issues. They are not perfect and that's why they have both false
>> positivies and false negatives. In any case, the problem with
>> unreferenced files is akin to brute force attacks, there's just  
>> too many
>> ways to name backup files and you will not pick all of them. It's  
>> plain
>> better to just browse the web server directory and compare either  
>> with
>> web server logs, with a web server map generated with a crawler or
>> analysing the last access timestamps.
>>
>> It's even better if you can do this through a remote code execution
>> through another vulnerability (happened recently to me in an pen- 
>> test)
>> or if you can retrieve the list of files in the server through an
>> different server (compromise an unsecure ftp server that was at some
>> point used to upload files to the web server and check its logs).
>>
>> :-)
>>
>> Regards
>>
>> Javier
>>
>>
>>
>> -------------------------------------------------------
>> SF.Net email is Sponsored by the Better Software Conference & EXPO
>> September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
>> Practices
>> Agile & Plan-Driven Development * Managing Projects & Teams *  
>> Testing & QA
>> Security * Process Improvement & Measurement * http://www.sqe.com/ 
>> bsce5sf
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>>
>>
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *  
> Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/ 
> bsce5sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>





More information about the Owasp-testing mailing list