Thursday, April 2, 2020
Basic Directory Transversal essays
Basic Directory Transversal essays When digging into a system it is always smart to look for obvious lack of security instead of looking at holes within the security. In other words, if you want to poke around a system, look for the obvious, visible openings before engaging in actually attacking the security of the system. I look at this as being given access instead of gaining unauthorized access, which legally, is a big difference. Now I am not a lawyer, but these are two completely different things in my Basic directory transversal involves seeing what directories are publicly accessible without "breaking into" anything. More advanced forms of directory transversal involve using these basic principles to slide through security by using things like "/../" and hex codes to try and fool the software into allowing you access to directories that were not intended to be accessible. But lets stick to the basics for now. For example, depending on the type of web server running, you are probably familiar with the fact that there is a specific default directory structure that usually contains at least one subfolder called "images". No HTML is usually stored in this directory, but there are images there. If the privileges are not set up properly, you can browse to the images directory and see all of the files contains within. Take this one step further and see what other directories you can get into. You might find directories called "content", "templates", "members", or pretty much anything. Each one of these folder should be locked down to prevent unauthorized access. The sad reality is that they are not. During your normal browsing of a site, or your intentional targeting of a site, notice the directory structure of the site. Notice that you may suddenly jump two directories deep. You may click on a link from the main page to a page located at "../content/articles/page1.html". ...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.