Skip to main content

Web Assets and Security Risk

In application security world blacklisting and whitelisting validations are very popular. This basically indicates what should be allowed and what shouldn’t be allowed. I was thinking about some of the web applications deployment structure and paying attention on the way various files are packaged and deployed. I found one interesting thing about web assets like CSS, Images and fonts , java scripts. When we host the web assets, URLs that actually provide web assets are actually not protected up to the mark. Let’s say  you have an application which has URL something like this


when you access the above mentioned URL, application may redirect you to login page, Whole idea is to force user to authenticate him/herself and create a secure session. Once the session is established you can access and the account page and do whatever you want to do. But web asset URLs are not protected.




What it says is if you are hosting assets and application in the same physical server then you need to clearly specify what types of assets are allowed and if application detects any other URL, it should display error page. if this is not implemented properly malicious internal user can place confidential data in these assets directory and access it from any public machine. No one will notice this activity.
Note: Usually assets are in web server and application is deployed in application server but in most of the infrastructure web servers are shared, one application can become channel to access other applications file. Point I am trying to make here is that application should have intelligence about what if can offer and what it cannot. Blacklisting and whitelisting can definitely help in this context. 


Comments

Popular posts from this blog

Indian Education System : Let's shape it

Good advice is always certain to be ignored, but that's no reason not to give it.                                                                                        By Agatha Christie   This is one of the things that I wanted to write from long back and per my opinion it should be matter of at most important for any educated person of India. Today in this article I would like  focus on reminding people about the importance of education and educational departments  no matter those are government related or privately held. Whatever we are to...

Google and Facebook's Data Center

I think Capacity wise Facebook is the good place to start as no other website has experienced kind of volume and traffic that Facebook has witnessed in the recent past. As you have not specified whether You want to know more about the infrastructure, security or you are interested in their operating model, staff size and remote site management? I would go with the general details. Facebook has multiple data centers around the world and the reason behind this is a common knowledge i.e huge volume of the data that FB process on daily basis. Facebook is currently the world’s most popular web site, with more than 1 trillion page views each month, according to metrics from Google’s DoubleClick service. Facebook currently accounts for about 9 percent of all Internet traffic, slightly more than Google, according to HitWise. This is the first data center of the Facebook in Prineville FB realized that they need many data centers in different locations to support the performance demand of...

The Bourne Betrayal | Book Review

Novel by Eric Van Lustbader and Robert Ludlum I like all Robert Ludlum’s novels including those which are written by Evan Lastbadder. To me his novels have taken fiction to the next level. During my way back to Hyderabad from my last summer trip to hometown I bought paperback version of “The Bourne Betryal”. This novel was full of Lastbadder’s style of writing than Robert Ludlum’s one.  I took almost 6 months to complete it. This novel has something different to offer actually. Plot is exciting but the story is not very accelerating. Jason bourn and Martin Lindros, When martin Lindros decided to come back in the field operations with the aim to destroy Fadi and When Martin is out the track , Jason is the only help possible in the situation. Story takes you through various struggle of Jason to bring Martin back home. There are few things where author has not even paid any attention for example how does an ordinary Pakistani Waiter will have that much of information   Towa...