Web Application Security
Re: Directory Scanner Feb 08 2012 09:11AM
Alexander Pick (acpi mac com)
Another idea is to proxy your download URLs through a script and hide the real files outside the web root.

If you do it in PHP it's pretty simple (header + read file + bit security). Just make sure to make the script secure in terms of directory transversal etc., many people hide their downloads for security and create even bigger holes with bad scripts.
You can also add all sort of attack detection to it, like recording the hit count of an IP to it and auto locking the downloads after a certain amount.

Hope this helps.

greets,
Alex

> A question:
>
> Given a website URL like the below :
>
> http://www.companywebsite.com/resources/resources/whitepapers/document_1
_wp.pdf
> http://www.companywebsite.com/resources/resources/whitepapers/document_a
rbinatryname__wp.pdf
>
> How can I protect somebody from enumerating the list of file on this
> "whitepapers" directory ? What tool can I use to make sure that I am
> adequately protected against this ?
> Cheers
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus