[Owasp-testing] Addition of CSS to (OTG-INFO-005)

Jeff Sergeant jeffuk at gmail.com
Tue Mar 24 10:44:19 UTC 2015


Good Morning!

I have recently seen a few applications where the stylesheets give away
information that they probably shouldn't, and are useful to a tester.

E.g.  I'm looking at a site now where the admin login page has a
'default.css'  which is evidently used for unauthenticated and
authenticated users, and gives me an insight into the full structure of the
application behind the login.  By virtue of referring to classes like
.AddUser .RemoveUser .DeletePage etc.    And with reference to icons like
(images/newProduct.png) etc.

I've seen cases where it's possible to identify filenames this way,
knowing that admin_portal.php is the login page, and seeing
.admin_portal{...} .admin_home{...} .admin_settings{...}
.admin_new_user{...} in the CSS allows the tester to infer the existence of
admin_home.php, .admin_settings.php  etc. without actually having to log in.

I think this would fit well in OTG-INFO-005;  any thoughts?

Regards,

Jeff Sergeant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20150324/16cb3ec1/attachment.html>


More information about the Owasp-testing mailing list