Clean Up Your Dub Dub Dub (www, webroot): A Starting Point For Securing Your Web Applications…

Not that long ago I visited a client who was having repeated issues with getting hacked.

This being a white hat exercise (ethical hacking) I began by running a code scanner across the board to see what it would find.

Simultaneously I looked at the webroot of their web application servers.

As you may well know, when you do a ctrl-c and then a ctrl-v on a file it ends up looking like this: “nameoffile – Copy”. Do it again on the copied file and it looks like this: “nameoffile – Copy – Copy”.

To my horror I found multiple instances of this. To make matters worse they were PHP (v4!!!) files that contained database connection strings in clear code.

Subsequently it was discovered that multiple versions of multiple files that were out of date were low hanging fruit for hackers.

Advice for security professionals/SQA engineers – do not just test your web applications from the front end. Have at it from Dub Dub Dub (www, webroot).

The best of enumeration tools like the OWASP DirBuster are not going to find “nameoffile – Copy”. Especially not “nameoffile – Copy – Copy”.

Does this remove legitimacy from the penetration testing effort if you have complete access to the file system?

No.

What if a thief gets in through other means and gets access?

The bottom line is that your webroot should be clean, sanitized and scrutinized. Cleansed.

What you do not know about is what can cause a serious breach of security.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s