|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
Dependence on Security Through Obscurity
Sometimes webmasters opt to protect
information on a web server not through actual security measures, but
merely by security through obscurity. That is, they restrict
access to a document by not listing links to it on their web site, and
by only providing the exact URL of the document to those they feel are
authorized to have access to it. The problem with this is that once
someone has that little-known URL, theyre free to pass it on to
others, who can then access the document without authorization.
Among those who do web site security audits, one of the tricks of the trade used to learn more about a web site is to alter known valid URLs in certain ways, to try to come up with additional valid, but not advertised, URLs which can be used to reveal data and program source code. For example, if you know that the web site contains a valid URL, http://www.mysite.com/shop/ordlist.asp, you might also check to see if http://www.mysite.com/backup/shop/ordlist.asp, http://www.mysite.com/shop/backup/ordlist.asp or http://www.mysite.com/shop/ordlist.asp.old, in hopes that one of those other URLs will enable them to gain more access to a version of the ordlist.asp file.
Real World Back Doors
Does your web site have any old files on it, in backup, or old directories, or perhaps prior versions of files whose names end in .old or .backup? Do the permissions on those files or directories allow anyone but authorized administrators to access them? If so, remove the backup copies or ensure that you have set permissions on them so that arbitrary web users cannot access them.
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.