2

I have a web site which require user login and password before they can access any materials and use the services. However, a recent VA scan found that one URL link is vulnerable to a an old version of a component. E.g.

https://mydomain/myservice/somelongURLstring.extension

The question I want to ask is, how does the scanner knows how to find this vulnerability even though they do not have the login credentials at all? Is it some kind of file/folder configuration problem at the web server side? So should I check the permission of somelongURLstring.extension ? What about things like robots.txt ? would this file be the cause of scanner being able to find this link?

UPDATE: After poking around for the required string, it was found in a .js file 

document.goform.action = '/myservice/somelongURLstring.extension'

and also from a file called struts.xml.

If it's a js file then its considered "publicly downloadable" and that's why the scanner is able to find?

thanks

Pang Ser Lark
  • 1,929
  • 2
  • 16
  • 26

2 Answers2

4

Difficult to say without knowing how the vulnerability scanner was configured.

I can tell you from experience there are 3 ways that I know of it could have been found:

1.) A web application vulnerability scanner will crawl all URL's found. Is it possible there is a link to this service or page some where else on the site or disclosed through an error page/message?

2.) A web application vulnerability scanner will search for known/common and even unknown/uncommon dirs by directory fuzzing.

3.) The web application vulnerability scanner was provided a list of physical files that resided in the web dir. It then attempted to scan each file without authentication. If proper authentication mechanisms aren't in place, it could have accessed the file in question.

k1DBLITZ
  • 3,933
  • 14
  • 20
  • I have got some findings. Could it be a js file is for public and (even without authentication?) and the scanner can detect? – Pang Ser Lark Oct 20 '15 at 00:59
  • @PangSerLark If the scanner finds the link to the js file it is definitely possible that the scanner will also find any urls in the js file. – SleepProgger Oct 20 '15 at 01:13
  • @SleepProggger. thanks for your comments. Normally how does it work? should a js file also be inaccessible to public until they have login to the system? somehow, I feel our system is in a mess...some configuration or permission problem and I don't know where to begin fixing it... sigh – Pang Ser Lark Oct 20 '15 at 01:18
  • @PangSerLark As a strong disbeliever in *security through obfuscation*, IMHO it shouldn't matter (esp. because there shouldn't be any security relevant stuff in client side scripts anyway). – SleepProgger Oct 20 '15 at 01:25
  • 2
    @PangSerLark Yes, it will. Today's web application scanners (I have 10+ years of experience with HP Webinspect) are quite sophisticated. If there are URL's in the javascript, it will find them. If you have comments in the code, it will find them. Any and all data in the cookie(s) will be parsed and attacked. All headers will parsed and attacked. All parameters found will be manipulated and attacked. All directories will be probed. There will literally be thousands of requests sent to the web server in an effort to sniff out any and all vulnerabilities. – k1DBLITZ Oct 20 '15 at 01:28
  • @SleepProggger. They may be cases where inside js files maybe using some components that are outdated? for e.g. jsquery always gets outdated and the scanner will reflect.. – Pang Ser Lark Oct 20 '15 at 02:05
1

I am sure the web vulnerability scanner is fed previously (one of your colleagues, responsibles at workplace did) with the needed credentials: otherwise, there is no way for what you stated to happen because a web vulnerability scanner is just a user that can access only what it is authorized to.

  • hi, no we have not given any credentials to the scanner. – Pang Ser Lark Oct 19 '15 at 14:21
  • 1
    @PangSerLark Are you sure you can not access that specific URL without credentials? –  Oct 19 '15 at 14:23
  • 1
    @PangSerLark If you say no to the question of my comment, I consider the case you describe as a paranormal activity :) because you can consider the scanner just as a user: it access data where it is authorized only (authorization is credentials, in this case) –  Oct 19 '15 at 14:27
  • 1
    The scanner has certainly given access to it in a manner or an other. As long as you can not provide the settings of the whole system, it will be difficult to say what happens exactly but surely the scanner is given access to those URLs somehow –  Oct 19 '15 at 14:35
  • hi, I have got some findings. Could it be a js file is for public and (even without authentication?) and the scanner can detect? – Pang Ser Lark Oct 20 '15 at 01:02