Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  2.3.4  Vulnerabilities

Previous Topic/Section
Logging and Privacy
Previous Page
Pages in Current Topic/Section
1
Next Page
Web Pages that Show Up Everywhere
Next Topic/Section

Dependence on “Security Through Obscurity”

Sometimes webmasters opt to protect information on a web server not through actual security measures, but merely by “security through obscurity”. That is, they restrict access to a document by not listing links to it on their web site, and by only providing the exact URL of the document to those they feel are authorized to have access to it. The problem with this is that once someone has that little-known URL, they’re free to pass it on to others, who can then access the document without authorization.

[spacer]Malformed URLs

Among those who do web site security audits, one of the “tricks of the trade” used to learn more about a web site is to alter known valid URLs in certain ways, to try to come up with additional valid, but not advertised, URLs which can be used to reveal data and program source code. For example, if you know that the web site contains a valid URL, “http://www.mysite.com/shop/ordlist.asp”, you might also check to see if “http://www.mysite.com/backup/shop/ordlist.asp”, “http://www.mysite.com/shop/backup/ordlist.asp” or “http://www.mysite.com/shop/ordlist.asp.old”, in hopes that one of those other URLs will enable them to gain more access to a version of the ordlist.asp file.


Real World Back Doors

Does your web site have any old files on it, in “backup”, or “old” directories, or perhaps prior versions of files whose names end in “.old” or “.backup”? Do the permissions on those files or directories allow anyone but authorized administrators to access them? If so, remove the backup copies or ensure that you have set permissions on them so that arbitrary web users cannot access them.



Previous Topic/Section
Logging and Privacy
Previous Page
Pages in Current Topic/Section
1
Next Page
Web Pages that Show Up Everywhere
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.