27 October 2010

Benign Unexpected URLs - Part 2 - Valid Entry Points

Part 1 listed various URLs that may be requested from a web site or application, and which do not exist leading to an error. Part 2 re-uses that list and adds to it, to define all valid entry points.

Determining the valid entry points to an application is a necessary requirement for some types of threat modelling, attack analysis and application defense. It is also something attackers will try to do (to determine the "attack surface"). Therefore, it really is something that good development teams should keep track of. Web application firewalls (WAFs) often try to build models for their own use based on the traffic examined, but even those may not include URLs that are requested infrequently, new valid URLs, or URLs which no-one has ever requested before but which contain a vulnerability.

The "page" addresses of HTML files or dynamic content may be well known, but what other benign URLs are valid? Static files such as style sheets, JavaScript libraries, file downloads, images and videos should be identified. The Type B URLs mentioned in Part 1 could also be valid entry points to the web site or application. Check each category and find out whether any really do exist (and thus don't generate 404 errors).

But also check for the following items which may also be valid entry points, and therefore benign.

Category Comments and examples
Custom Errors Custom error pages should have been set up and these may be referenced as a direct URL.
News Feeds RSS and atom feeds may be generated by the application.
Virtual Addresses Aliases (short addresses that redirect to the longer real URL) and temporary or permanent redirections set up when a site's structure changes.
TLS Redirection Redirection from non-SSL (non-TLS) to SSL URLs and vice versa

Where there are a large number of static files and it is not appropriate to list every file name, it is worthwhile documenting the allowed extensions and any file naming conventions expected. Whitelisting a whole folder as a valid entry point is not recommended in case an attacker manages to upload a script or otherwise malicious file into it, which could then be used to bypass entry point validation logic.

In Part 3 I will examine additional or missing request parameters which might have a benign cause.

Posted on: 27 October 2010 at 15:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Benign Unexpected URLs - Part 2 - Valid Entry Points
http://www.clerkendweller.com/2010/10/27/Benign-Unexpected-URLs-Part-2-Valid-Entry-Points
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2010/10/27/Benign-Unexpected-URLs-Part-2-Valid-Entry-Points
Requested by 38.107.179.220 on Thursday, 17 May 2012 at 22:01 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2010-2012 clerkendweller.com