Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Brute Force Predictable Resource Location/Insecure Indexing"

From OWASP
Jump to: navigation, search
(Created page with "Return to Periodic Table Working View == Brute Force Predictable Resource Location/Insecure Inde...")
 
 
Line 5: Line 5:
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
  
Server-side resources including admin pages, file backups, uploaded files, logs, and sample files exist in easy-to-guess locations, or are automatically indexed and enumerated by the web server. Data resources are referenced by their auto-incremented primary key, making it easy for attackers to guess other valid values or infer transaction volumes.
+
Server-side resources including admin pages, file backups, uploaded files, logs, and sample files exist in easy-to-guess locations. Data resources are referenced by their auto-incremented primary key, making it easy for attackers to guess other valid values or infer transaction volumes.
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
Line 24: Line 24:
  
 
The framework should be designed to store all configuration files, uploaded files, and any other content that does not need to be served directly by the web server outside the web root or on a separate database server accessible only via application APIs.
 
The framework should be designed to store all configuration files, uploaded files, and any other content that does not need to be served directly by the web server outside the web root or on a separate database server accessible only via application APIs.
 
Directory browsing should be disabled.
 
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 38: Line 36:
  
 
GUID obfuscators are a form of security through obscurity, and prevent only the information leakage aspect of auto-incremented object identifiers. Authentication and authorization must still be enforced in order to prevent unwanted access to resources, even if they are no longer predictable.
 
GUID obfuscators are a form of security through obscurity, and prevent only the information leakage aspect of auto-incremented object identifiers. Authentication and authorization must still be enforced in order to prevent unwanted access to resources, even if they are no longer predictable.
 +
 +
[[OWASP_Periodic_Table_of_Vulnerabilities_-_Directory_Indexing| Directory indexing]] is a separate topic; indexing in this case refers to object identifiers, not directory listings.
  
 
=== References ===
 
=== References ===

Latest revision as of 14:14, 15 May 2013

Return to Periodic Table Working View

Contents

Brute Force Predictable Resource Location/Insecure Indexing

Root Cause Summary

Server-side resources including admin pages, file backups, uploaded files, logs, and sample files exist in easy-to-guess locations. Data resources are referenced by their auto-incremented primary key, making it easy for attackers to guess other valid values or infer transaction volumes.

Browser / Standards Solution

None

Perimeter Solution

The perimeter should detect spikes in 40X HTTP responses from the web server or application server. If the requests are authenticated, the perimeter should send an account lockout signal to the application. If the requests are unauthenticated, the perimeter should introduce a CAPTCHA, JavaScript challenge, or similar anti-automation measure.

Generic Framework Solution

The framework should provide a random GUID obfuscator for all parameter values to hide the underlying object identifiers.

The framework should proxy all requests for dynamic file content (as opposed to static content) with random GUID identifiers.

The framework should segregate administrative interfaces from user interfaces using IP source address whitelisting, client-side certificates, and other restrictions.

The framework should be designed to store all configuration files, uploaded files, and any other content that does not need to be served directly by the web server outside the web root or on a separate database server accessible only via application APIs.

Custom Framework Solution

The custom framework should enforce authentication/authorization checks on all dynamic content. Custom administrative interfaces should be built on top of generic framework administrative access platform, segregated from user interfaces.

Custom Code Solution

None

Discussion / Controversy

GUID obfuscators are a form of security through obscurity, and prevent only the information leakage aspect of auto-incremented object identifiers. Authentication and authorization must still be enforced in order to prevent unwanted access to resources, even if they are no longer predictable.

Directory indexing is a separate topic; indexing in this case refers to object identifiers, not directory listings.

References

Forceful browsing
Predictable Resource Location (WASC)
Globally Unique Identifier (GUID)