Difference between revisions of "LII:Web Application Security Guide/Special files"

From LIMSWiki
Jump to navigationJump to search
(Created as needed.)
 
m (Added further reading)
 
Line 4: Line 4:


===To prevent this type of attack===
===To prevent this type of attack===
* Know the meaning of these files
* Know the meaning of these files.
* Ensure robots.txt does not disclose "secret" paths
* Ensure robots.txt does not disclose "secret" paths.
* Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed
* Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.
* If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only
* If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.
* Prevent users from uploading/changing special files (see [[LII:Web Application Security Guide/File upload vulnerabilities|file upload vulnerabilities section]])
* Prevent users from uploading/changing special files (see [[LII:Web Application Security Guide/File upload vulnerabilities|file upload vulnerabilities section]]).


===Rationale===
===Rationale===
Line 18: Line 18:


crossdomain.xml and clientaccesspolicy.xml can disable the same-origin policy in some plug-ins. Incorrect configuration leaves the site open for cross-site scripting/cross-site request forgery attacks using plugins. Note that crossdomain.xml files are also valid if they appear in subdirectories.
crossdomain.xml and clientaccesspolicy.xml can disable the same-origin policy in some plug-ins. Incorrect configuration leaves the site open for cross-site scripting/cross-site request forgery attacks using plugins. Note that crossdomain.xml files are also valid if they appear in subdirectories.
==Further reading==
* [[wikipedia:.htaccess|.htaccess]]
* [[wikipedia:Cross-site request forgery|Cross-site request forgery]]
* [[wikipedia:Robots.txt|robots.txt]]


==Notes==
==Notes==
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Special_files the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Special_files the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

Latest revision as of 22:57, 10 August 2016

Special files

Special files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml have special meanings which has to be considered before deploying such files.

To prevent this type of attack

  • Know the meaning of these files.
  • Ensure robots.txt does not disclose "secret" paths.
  • Ensure crossdomain.xml and clientaccesspolicy.xml do not exist unless needed.
  • If used, ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only.
  • Prevent users from uploading/changing special files (see file upload vulnerabilities section).

Rationale

Special files like .htaccess, robots.txt, crossdomain.xml and clientaccesspolicy.xml define security relevant settings and rules. Knowing their meaning is necessary to use them securely.

.htaccess influences the behaviour and security relevant settings of the web server (e.g. access rights, executable file types, ...).

robots.txt can be ignored by malicious or badly written robots. As this file is publicly available, an attacker can gain valuable information about "interesting" paths (like administration interfaces) if they are mentioned in the robots.txt file. Attackers do check this file for such content.

crossdomain.xml and clientaccesspolicy.xml can disable the same-origin policy in some plug-ins. Incorrect configuration leaves the site open for cross-site scripting/cross-site request forgery attacks using plugins. Note that crossdomain.xml files are also valid if they appear in subdirectories.

Further reading

Notes

The original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.