That answer seems simple to me: All sensitive data need to be protected
using a suitable protection method and NOT just rely on the lack of
knowledge of the URL to reach the document.
This can be a password, certificate, or any other method.
A simple sniffer can reveal the URL of a "protected" document using just
lack-knowledge approach.
- Nelson
-----Original Message-----
From: backed.up.by.2048.bit.encryption_at_hushmail.com
[mailto:backed.up.by.2048.bit.encryption_at_hushmail.com]
Sent: Wednesday, January 08, 2003 12:54 PM
To: webappsec_at_securityfocus.com
Cc: vuln-dev_at_securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Is there anything out there like a port scanner but for websites, where
it dictionary attacks the files. For example you plug in the domain:
http://www.foo.com
and tries to find .html files (or other)
http://www.foo.com - index.html
ndex.html
dex.html
ex.html
......etc
where runs through numerous possibilities to hit on files on the server
(and even) directories). If so, one could certainly hit on some
sensitive information, say where the administrator has been testing
something, or internal product infos etc.
If there is nothing out there like this, why not?
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wnUEARECADUFAj4cj18uHGJhY2tlZC51cC5ieS4yMDQ4LmJpdC5lbmNyeXB0aW9uQGh1
c2htYWlsLmNvbQAKCRDEHQGvBp4eRJLBAKCPZpeToNzqtkqKkaIROClm91qhXgCfe4Eo
/YwZbPRhApi54B5jewqOYCk=
=d2v7
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Received on Jan 08 2003
Intro
