In application security world blacklisting and whitelisting
validations are very popular. This basically indicates what should be allowed
and what shouldn’t be allowed. I was thinking about some of the web
applications deployment structure and paying attention on the way various files
are packaged and deployed. I found one interesting thing about web assets like
CSS, Images and fonts , java scripts. When we host the web assets, URLs that
actually provide web assets are actually not protected up to the mark. Let’s
say you have an application which has
URL something like this
when you access the above mentioned URL, application may redirect
you to login page, Whole idea is to force user to authenticate him/herself and
create a secure session. Once the session is established you can access and the
account page and do whatever you want to do. But web asset URLs are not
protected.
What it says is if you are hosting assets and application in
the same physical server then you need to clearly specify what types of assets
are allowed and if application detects any other URL, it should display error
page. if this is not implemented properly malicious internal user can place
confidential data in these assets directory and access it from any public
machine. No one will notice this activity.
Note: Usually assets are in web server and application is deployed in application server but in most of the infrastructure web servers are shared, one application can become channel to access other applications file. Point I am trying to make here is that application should have intelligence about what if can offer and what it cannot. Blacklisting and whitelisting can definitely help in this context.
Comments
Post a Comment