[OWASP_PHPSEC] Secure PHP Static HTTP Response Handling Library (aka File Downloader)

rahul chaudhary rahul300chaudhary400 at gmail.com
Mon Jun 24 15:29:57 UTC 2013


Is this functionality implemented in jFramwork ?? If yes, where ?


   1.

   *Secure PHP Static HTTP Response Handling Library (aka File Downloader)*

Currently web servers are largely dependent on “security by obscurity”.
They feed their clients with static files by generating a large random
number for that file in hopes that until the hackers are unable to find the
long random number, their files are safe. However OWASP has pointed out
that for users who can save a particular location/URL of file can also
access the file afterwards because they now know the random numbers and the
file location is static. This operation should be handled by the
application and not the web server, otherwise no access control check,
bandwidth enforcement and other similar necessity could be performed at
this point (a common flaw in many applications).

(*Fig1:* File location for 1st try)



(*Fig2:* File location for 2nd try)



As we can see that in both the attempts, we see the same random number is
used for this file which might be dangerous. Our library implementation
will handle this. Also, functions such as “resume download” used by
download managers are directly affected the way these functions are
implemented. Proper implementation of this feature is of vital importance,
otherwise download managers and old browsers will be unable to use the
application properly.

-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130624/7ef47344/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list