2009-05-03 00:05:16

Fri, 17 Oct 08 13:11:39 -0600

One of the first things a hacker will do when attacking a site is search for data. This includes mapping the site and looking for empty directories.

Generally, the standard procedure against this is to simply add an index.html file or set the server to forbid directory browsing.

The only problem with this, is that it proves that a directory exists, and is not just a mod_rewrite trick to make the url pretty.

This often will lead to brute forcing sensitive file names, often leading to data exposition.

Some site mapping programs, ie. IntelliTamper, will brute force directory names that might not be linked, as these are often the most sensitive.

I have a better way.

What I did was make the directory return a 404 error. When an attacker reaches this, they will simply assume there is something wrong with the map or that its a fake directory made with mod_rewrite, and leave it alone.
Fri, 17 Oct 08 13:11:39 -0600

One of the first things a hacker will do when attacking a site is search for data. This includes mapping the site and looking for empty directories.

Generally, the standard procedure against this is to simply add an index.html file or set the server to forbid directory browsing.

The only problem with this, is that it proves that a directory exists, and is not just a mod_rewrite trick to make the url pretty.

This often will lead to brute forcing sensitive file names, often leading to data exposition.

Some site mapping programs, ie. IntelliTamper, will brute force directory names that might not be linked, as these are often the most sensitive.

I have a better way.

What I did was make the directory return a 404 error. When an attacker reaches this, they will simply assume there is something wrong with the map or that its a fake directory made with mod_rewrite, and leave it alone.

Observe:

index.php file:


<?php

header('Status: 404 Not found');

readfile("http://site.com/404.html");

?>



This will return a 404 error on the HTTP status (in case they watch that) and will show the 404 page (where ever it might be) and leads any attacker or mapping program to believe the directory doesn't exist.

So, can you tell the difference between http://humanbagel.com/secretdir and http://humanbagel.com/supersecretdir when clicked?
Didn't think so.

The HTTP response headers are identical, so there is no way an attacker could know for sure if it's actually there, and not just a mod_rewrite trick.

Honestly, if I ran into this situation, I would try to exploit the dir as it it were a GET variable, which of course would result in nothing but a huge number of 404's.

Either way, its a dead end for an attacker and the only info on the dir that can be obtained is the files linked to there from your website.

Peace
Observe:

index.php file:

<?php

header('Status: 404 Not found');

readfile("http://site.com/404.html");

?>

This will return a 404 error on the HTTP status (in case they watch that) and will show the 404 page (where ever it might be) and leads any attacker or mapping program to believe the directory doesn't exist.

So, can you tell the difference between http://humanbagel.com/secretdir and http://humanbagel.com/supersecretdir when clicked?
Didn't think so.

The HTTP response headers are identical, so there is no way an attacker could know for sure if it's actually there, and not just a mod_rewrite trick.

Honestly, if I ran into this situation, I would try to exploit the dir as it it were a GET variable, which of course would result in nothing but a huge number of 404's.

Either way, its a dead end for an attacker and the only info on the dir that can be obtained is the files linked to there from your website.

Peace