Predictable Resource Location
Overview
Predictable resource location attacks exploit poorly configured /
setup websites which base the security of sensitive files on the fact users
don’t know the URLs which reference them. By correctly guessing the names of
these sensitive, 'hidden' files, the attacker will be able access them. This
can provide attackers with direct access to the information contained in these
files. It can also provide attackers with information which may facilitate
future attacks against the site. Estimates suggest at least
1 out of 4 sites are vulnerable to predictable resource location.
What makes a
site vulnerable?
Predictable resource location attacks exploit poorly designed websites
which base the security of sensitive files on the fact that users don’t know
the URLs which reference them. The assumption is usually that no one will find
the file if you don’t link to it. This is not always true.
Impact of the
attack
Predictable resource location allows an attacker to guess the path
to web accessible files on the web server. This allows the attacker to request
these files. It may be the case that some of these files are not intended to be
viewed by users. The contents of the files, or even the filenames themselves,
may provide the attacker with private user information (credit card details,
etc.). There may be backups of the source code files which (due to an extension
such as .bak) can be opened and viewed by the attacker. Viewing the source code
may facilitate attacks against the site, and may even give up useful
information such as database login details. They may also provide the attacker
with supposedly hidden functionality, such as admin-only web pages, which could
give the attacker a significant degree of control over the website.
Preventing the
attack
By making the file URLs hard to guess (by including large random
components), it should be possible to prevent attackers from guessing the URLs.
Alternatively, the sensitive files should be protected by actual, tested access
control mechanisms.