Preventing directory scanning from Acunetix

StackOverflow https://stackoverflow.com/questions/12287087

  •  30-06-2021
  •  | 
  •  

Domanda

I have a PHP enabled site, with directory-listing turned off.

But, when I used Acunetix: (web vulnerability scanning software) to scan my site, and other high-profile websites, it was able to list all directories & files.

I don't know what this is happening, but I have this theory: maybe the software is using English words, trying to see if a folder exists by trying names like "include/", "css/", "/images", etc. Then, maybe it is able to list files that way.

Because, if directory listing is off, I don't know what more there is to do.

So, I devised this plan, that if I give my folders/files difficult names like I3Nc_lude, 11css11, etc., maybe it would be difficult for the software to find the names. What do you think?

I know, I could be dead-wrong about this, and the idea might be laughable but, that is why I am asking for help.

How do you Completely! Forbid directory listing??

È stato utile?

Soluzione

The checkers aren't using some kind of language-based brute force attack, that would be far too costly and invasive even for the most inept hacker. Your internet file sharing service (Apache, IIS, whatever) is serving up the structure to anyone who asks.

I found this solution at - it should apply to you, I hope.

http://www.velvetblues.com/web-development-blog/dont-get-hacked-6-ways-to-secure-your-wordpress-blog/

  1. Hide Your Directory Structure

It is also good practice to hide your directory structure. By default, many WordPress installations enable any visitors to snoop and see all files in folders lacking an index file. And while this might not seem dangerous, it really is. By enabling visitors to see what files are in each directory, they can better plot their attack.

To fix this problem, you can do one of two things:

Option 1: Use An Index File

For each directory that you want to protect, simply add an index file. A simple index.html file will suffice.

Option 2: Use An .htaccess File

The preferred way of hiding the directory structure is to use the following code in an .htaccess file.

Options -indexes

Altri suggerimenti

  1. Ensure all directories from the root of your site have directory listings disabled. It is typically on by default when you setup a new server.

  2. Assuming that directory listing in your webserver is not your issue, keep in mind that any resources you have in your site: CSS files, JS sources, and of course HREFs can be traversed with little or no effort (typically a few lines of javascript). There is no way to hide anything that you've referenced. This is most likely what you are seeing reflected in the scan.

  3. Alternatively, if you use SVN or other version control systems to deploy your site, often these can be used to determine the path of every file in your codebase.

Probably the most common mistake people make when first creating sites is that they keep all their files in the webroot, and it becomes somewhat trivial to figure out where things are.

IMHO the best approach is have your code in a separate directory outside the webroot, and then load it as needed (this is how most MVC frameworks work). You can control entirely then what can and can not be accessed via the web. You can have 100s of classes in a directory and as long as they are not in the webroot, no one will ever be able to see them, even if directory listing were to become enabled.

That just sounds like a nightmare to manage. Focus on securing the files the best you can with all preventative measures. Don't rely on security through obscurity. If someone wants in, some random directory names will just slow them down slightly

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top