Skip to main content

Web Assets and Security Risk

In application security world blacklisting and whitelisting validations are very popular. This basically indicates what should be allowed and what shouldn’t be allowed. I was thinking about some of the web applications deployment structure and paying attention on the way various files are packaged and deployed. I found one interesting thing about web assets like CSS, Images and fonts , java scripts. When we host the web assets, URLs that actually provide web assets are actually not protected up to the mark. Let’s say  you have an application which has URL something like this

http://someapplicationname/somecontext/myaccount

when you access the above mentioned URL, application may redirect you to login page, Whole idea is to force user to authenticate him/herself and create a secure session. Once the session is established you can access and the account page and do whatever you want to do. But web asset URLs are not protected.

 http://someapplicationname/somecontext/js/login.js

http://someapplicationname/somecontext/css/main.css

http://someapplicationname/somecontext/images/logo.png

What it says is if you are hosting assets and application in the same physical server then you need to clearly specify what types of assets are allowed and if application detects any other URL, it should display error page. if this is not implemented properly malicious internal user can place confidential data in these assets directory and access it from any public machine. No one will notice this activity.
Note: Usually assets are in web server and application is deployed in application server but in most of the infrastructure web servers are shared, one application can become channel to access other applications file. Point I am trying to make here is that application should have intelligence about what if can offer and what it cannot. Blacklisting and whitelisting can definitely help in this context. 


Labels:

Comments

Post a Comment

Popular posts from this blog

Mobile Message Organizer

Got a basic requirement that i think every mobile should have, all the mail clients have this facility and i dont see any big difficulties on this other than the storage problem which is not a problem at all as we got GB of spaces in our memory cards. Well i am talking about the organizing the messages in Inbox , categorization of messages. Suppose i want to store all the messages from one of my friend say A in a folder called Personal, my existing mobile device Nokai E71 doesn't have this feature inbuilt (Ofcourse if you want you can make a folder and move the messages manually but here i am talking about the idea of automating this procedure). Only thing we need to do is , we have to store the rules in separate location , rules will be defined by the user and then device will follow these rules.There are no or very less software available which satisfy this requirement for mobile device.this is so simple but basic requirement as per the end user. I am going to make this one ...
2 comments
Read more

Indian Education System : Let's shape it

Good advice is always certain to be ignored, but that's no reason not to give it.                                                                                        By Agatha Christie   This is one of the things that I wanted to write from long back and per my opinion it should be matter of at most important for any educated person of India. Today in this article I would like  focus on reminding people about the importance of education and educational departments  no matter those are government related or privately held. Whatever we are to...
1 comment
Read more

Information Security Profile Questions

One of the friend asked this question in one of the popular forums, i thought I should keep copy of my answer in my blog as well. What sort of interview questions can be asked in information security profile? It depends on your role under information security profile, If you are ininformation security engineering role, questions will be more from tools andtechnologies and security audit and analysis methodologies. Questions may comefrom application security(OWASP TOP10), network security or computer forensics. In the corporate world no one expects an information security engineer to bemaster of all the security disciplines. Questions from different operating system techniques and popular web serversand information security architecture will be asked. Various operating system administrationdetails questions may surface. Vulnerability assessment is another topic whichcan be discussed. Security consultant as a profession itself is about being specialist notjournalist. So solid un...
Post a Comment
Read more