One of the things I do on this site is to monitor requests that produce 404 errors. Originally it was for purely personal reasons (I use a URL shortener for many URLs I post so it was a way to check I’d got the URL-lengthening right), but very quickly it became obvious that script kiddies were the main source of 404 errors (one, two, three, etc). The one that still makes me laugh is the script kiddie trying to access a vulnerability in a long-since-fixed Telerik control on my web site (hello! I’m the CTO for DevExpress!).
I just read a pretty fascinating blog post by Steve Hanov – I found Security Vulnerability in your web application – which talks about getting an email from some “security consultant” saying that they’d found a security issue with his website. Pay some bounty and they’d tell you what it was. His post goes on to discuss various vulnerabilities for web apps and how you can mitigate them.
For me, there was one item that rang true for me: “Protect secret web urls”. Yep, try to go to the login page for this site and it’s been replaced by a Lorem Ipsum page. The login page has been renamed to a random-character name instead and it won’t be long before all “login-required” pages and functionality are gone, replaced with an app I run on my laptop. In essence, the web app will just serve web pages; the admin stuff will be only be available via a Windows app.
Anyway, do check out Steve’s blog post if you’re running a publicly-visible web app.
No Responses
Feel free to add a comment...
Leave a response
Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.
_emphasis_
**strong**
[text](url)
`IEnumerable`
* an item
1. an item
> Now is the time...
Preview of response