[WEB SECURITY] "Meanwhile, on the other side of the web server" - a writeup by Amit Klein

Ory Segal osegal at watchfire.com
Fri Jun 10 09:17:43 EDT 2005


With regards to discovering infrastructure information, you can also use
NetCraft.

-Ory 

-----Original Message-----
From: Richard Moore [mailto:rich at westpoint.ltd.uk] 
Sent: Friday, June 10, 2005 11:49 AM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] "Meanwhile, on the other side of the web
server" - a writeup by Amit Klein

Nice summary Amit. One thing I'd add is the use of search engines to
allow an attacker to discover information that has been incorrectly
protected, or to find attack targets (as several worms have done by
searching for banners). Of course, these attacks can occur without the
attacker ever having to make a request of your web app. I mentioned one
example of this on the risks list a while ago (I'm sure I wasn't the
first), but other searches such as 'this document is confidential'
still get lots of hits.

http://catless.ncl.ac.uk/Risks/22.64.html#subj9.1

Cheers

Rich.
--
Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf,
19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list