OWASP Periodic Table of Vulnerabilities - Brute Force Predictable Resource Location/Insecure Indexing

Revision as of 14:14, 15 May 2013 by James Landis (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

Brute Force Predictable Resource Location/Insecure Indexing

Root Cause Summary

Server-side resources including admin pages, file backups, uploaded files, logs, and sample files exist in easy-to-guess locations. Data resources are referenced by their auto-incremented primary key, making it easy for attackers to guess other valid values or infer transaction volumes.

Browser / Standards Solution


Perimeter Solution

The perimeter should detect spikes in 40X HTTP responses from the web server or application server. If the requests are authenticated, the perimeter should send an account lockout signal to the application. If the requests are unauthenticated, the perimeter should introduce a CAPTCHA, JavaScript challenge, or similar anti-automation measure.

Generic Framework Solution

The framework should provide a random GUID obfuscator for all parameter values to hide the underlying object identifiers.

The framework should proxy all requests for dynamic file content (as opposed to static content) with random GUID identifiers.

The framework should segregate administrative interfaces from user interfaces using IP source address whitelisting, client-side certificates, and other restrictions.

The framework should be designed to store all configuration files, uploaded files, and any other content that does not need to be served directly by the web server outside the web root or on a separate database server accessible only via application APIs.

Custom Framework Solution

The custom framework should enforce authentication/authorization checks on all dynamic content. Custom administrative interfaces should be built on top of generic framework administrative access platform, segregated from user interfaces.

Custom Code Solution


Discussion / Controversy

GUID obfuscators are a form of security through obscurity, and prevent only the information leakage aspect of auto-incremented object identifiers. Authentication and authorization must still be enforced in order to prevent unwanted access to resources, even if they are no longer predictable.

Directory indexing is a separate topic; indexing in this case refers to object identifiers, not directory listings.


Forceful browsing
Predictable Resource Location (WASC)
Globally Unique Identifier (GUID)