https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_Predictable_Resource_Location/Insecure_Indexing&feed=atom&action=historyOWASP Periodic Table of Vulnerabilities - Brute Force Predictable Resource Location/Insecure Indexing - Revision history2024-03-29T02:08:56ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_Predictable_Resource_Location/Insecure_Indexing&diff=151695&oldid=prevJames Landis at 19:14, 15 May 20132013-05-15T19:14:19Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 19:14, 15 May 2013</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l5" >Line 5:</td>
<td colspan="2" class="diff-lineno">Line 5:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Root Cause Summary ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Root Cause Summary ===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Server-side resources including admin pages, file backups, uploaded files, logs, and sample files exist in easy-to-guess locations<del class="diffchange diffchange-inline">, or are automatically indexed and enumerated by the web server</del>. Data resources are referenced by their auto-incremented primary key, making it easy for attackers to guess other valid values or infer transaction volumes.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Server-side resources including admin pages, file backups, uploaded files, logs, and sample files exist in easy-to-guess locations. Data resources are referenced by their auto-incremented primary key, making it easy for attackers to guess other valid values or infer transaction volumes.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Browser / Standards Solution ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Browser / Standards Solution ===</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l24" >Line 24:</td>
<td colspan="2" class="diff-lineno">Line 24:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The framework should be designed to store all configuration files, uploaded files, and any other content that does not need to be served directly by the web server outside the web root or on a separate database server accessible only via application APIs.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The framework should be designed to store all configuration files, uploaded files, and any other content that does not need to be served directly by the web server outside the web root or on a separate database server accessible only via application APIs.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Directory browsing should be disabled.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Custom Framework Solution ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Custom Framework Solution ===</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l38" >Line 38:</td>
<td colspan="2" class="diff-lineno">Line 36:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>GUID obfuscators are a form of security through obscurity, and prevent only the information leakage aspect of auto-incremented object identifiers. Authentication and authorization must still be enforced in order to prevent unwanted access to resources, even if they are no longer predictable.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>GUID obfuscators are a form of security through obscurity, and prevent only the information leakage aspect of auto-incremented object identifiers. Authentication and authorization must still be enforced in order to prevent unwanted access to resources, even if they are no longer predictable.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[OWASP_Periodic_Table_of_Vulnerabilities_-_Directory_Indexing| Directory indexing]] is a separate topic; indexing in this case refers to object identifiers, not directory listings.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== References ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== References ===</div></td></tr>
</table>James Landishttps://wiki.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_Predictable_Resource_Location/Insecure_Indexing&diff=151597&oldid=prevJames Landis: Created page with "Return to Periodic Table Working View == Brute Force Predictable Resource Location/Insecure Inde..."2013-05-15T01:07:27Z<p>Created page with "<a href="/index.php/OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities" title="OWASP Periodic Table of Vulnerabilities">Return to Periodic Table Working View</a> == Brute Force Predictable Resource Location/Insecure Inde..."</p>
<p><b>New page</b></p><div>[[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]]<br />
<br />
== Brute Force Predictable Resource Location/Insecure Indexing ==<br />
<br />
=== Root Cause Summary ===<br />
<br />
Server-side resources including admin pages, file backups, uploaded files, logs, and sample files exist in easy-to-guess locations, or are automatically indexed and enumerated by the web server. Data resources are referenced by their auto-incremented primary key, making it easy for attackers to guess other valid values or infer transaction volumes.<br />
<br />
=== Browser / Standards Solution ===<br />
<br />
None<br />
<br />
=== Perimeter Solution ===<br />
<br />
The perimeter should detect spikes in 40X HTTP responses from the web server or application server. If the requests are authenticated, the perimeter should send an account lockout signal to the application. If the requests are unauthenticated, the perimeter should introduce a CAPTCHA, JavaScript challenge, or similar anti-automation measure.<br />
<br />
=== Generic Framework Solution ===<br />
<br />
The framework should provide a random GUID obfuscator for all parameter values to hide the underlying object identifiers.<br />
<br />
The framework should proxy all requests for dynamic file content (as opposed to static content) with random GUID identifiers.<br />
<br />
The framework should segregate administrative interfaces from user interfaces using IP source address whitelisting, client-side certificates, and other restrictions.<br />
<br />
The framework should be designed to store all configuration files, uploaded files, and any other content that does not need to be served directly by the web server outside the web root or on a separate database server accessible only via application APIs.<br />
<br />
Directory browsing should be disabled.<br />
<br />
=== Custom Framework Solution ===<br />
<br />
The custom framework should enforce authentication/authorization checks on all dynamic content. Custom administrative interfaces should be built on top of generic framework administrative access platform, segregated from user interfaces.<br />
<br />
=== Custom Code Solution ===<br />
<br />
None<br />
<br />
=== Discussion / Controversy ===<br />
<br />
GUID obfuscators are a form of security through obscurity, and prevent only the information leakage aspect of auto-incremented object identifiers. Authentication and authorization must still be enforced in order to prevent unwanted access to resources, even if they are no longer predictable.<br />
<br />
=== References ===<br />
<br />
[[Forced_browsing| Forceful browsing]]<BR><br />
[http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location| Predictable Resource Location (WASC)]<BR><br />
[https://en.wikipedia.org/wiki/Globally_unique_identifier| Globally Unique Identifier (GUID)]</div>James Landis