Security Basics mailing list archives

Re: Directory Scanner

From: iftikhar <iftikhar () aidentech com>
Date: Tue, 14 Feb 2012 10:50:03 +0500

Though not ideal, a partial supplement in this scenario is also checkingthe REFERER, can thwart automated tools to a degree


Regards,
Iftikhar

On 02/13/2012 07:45 PM, Calderon, Juan Carlos (GE, Corporate,consultant) wrote:

I understand authentication to these documents is not an issue what is
an issue is directory listing. IIS prevents this by default so I assume
you are using Apache, Tomcat or another server. So the best way to
prevent this issue is to modify your .htaccess file to avoid listing
files:

Here is an example of how to use it
http://www.javascriptkit.com/howto/htaccess11.shtml

Regards,
Juan C Calderon

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Alexander Pick
Sent: Wednesday, February 08, 2012 3:11 AM
To: Thugzclub Thugzclub
Cc: security-basics () securityfocus com; webappsec () securityfocus com
Subject: Re: Directory Scanner

Another idea is to proxy your download URLs through a script and hide
the real files outside the web root.

If you do it in PHP it's pretty simple (header + read file + bit
security). Just make sure to make the script secure in terms of
directory transversal etc., many people hide their downloads for
security and create even bigger holes with bad scripts.
You can also add all sort of attack detection to it, like recording the
hit count of an IP to it and auto locking the downloads after a certain
amount.

Hope this helps.

greets,
Alex

A question:

Given a website URL like the below :

http://www.companywebsite.com/resources/resources/whitepapers/document
_1_wp.pdf
http://www.companywebsite.com/resources/resources/whitepapers/document
_arbinatryname__wp.pdf

How can I protect somebody from enumerating the list of file on this
"whitepapers" directory ?  What tool can I use to make sure that I am
adequately protected against this ?
Cheers

----------------------------------------------------------------------
-- Securing Apache Web Server with thawte Digital Certificate In this
guide we examine the importance of Apache-SSL and who needs an SSL

certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
42f727d1
----------------------------------------------------------------------
--




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: Directory Scanner, (continued)
- Re: Directory Scanner Steven (Feb 07)
- Re: Directory Scanner Alexander Pick (Feb 08)
  - SECURITY TOOLS TREE mc (Feb 08)
    - Re: SECURITY TOOLS TREE synja (Feb 08)
    - Re: SECURITY TOOLS TREE Mrs. Y (Feb 08)
    - Re: SECURITY TOOLS TREE RobOEM (Feb 08)
    - Re: SECURITY TOOLS TREE gold flake (Feb 09)
    - Re: SECURITY TOOLS TREE Vedantam Sekhar (Feb 09)
    - Re: SECURITY TOOLS TREE Christopher Siedlecki (Feb 10)
  - RE: Directory Scanner Calderon, Juan Carlos (GE, Corporate, consultant) (Feb 13)
    - Re: Directory Scanner iftikhar (Feb 13)
    - Message not available
    - RE: Directory Scanner Calderon, Juan Carlos (GE, Corporate, consultant) (Feb 14)
    - How to prevent Dos and DDoS, Dinh Truong Quang (Feb 15)
    - Re: How to prevent Dos and DDoS, Ivan .Heca (Feb 15)
    - RE: How to prevent Dos and DDoS, Dave, Manish, R. - EIL (MUM) (Feb 15)
    - Re: How to prevent Dos and DDoS, Steven (Feb 15)
    - Re: How to prevent Dos and DDoS, NetRunner Zoner (Feb 15)
    - Re: How to prevent Dos and DDoS, Quentin Chung@Programmer (Feb 16)
    - Re: How to prevent Dos and DDoS, LIAD Mizrachi (Feb 16)
    - Re: How to prevent Dos and DDoS, security () stealthnodes com (Feb 16)
    - Re: How to prevent Dos and DDoS, Claudiu Hulea (Feb 16)

(Thread continues...)