Grey bar Blue bar
Share this:

Thu, 10 Jan 2008

Is URL / Variable Name the new Port Number ??

There has been a fair bit of blog buzz about the new SQL Injection worm that ran around infecting sites. I have not looked too deeply into it, but have not yet seen accounts of how the targeting was done. Since the sites do not appear to have been running a common framework i would guess that it was search-engine generated targets based on resource name (like inurl: search.asp)..

For ages we have been telling people that if they had to have a /admin/admin.asp on their internet facing web-app that they would at least help minimize their exposure a little by naming it /admin_[bet_u_dont_find_this]/admin_[another_variable].asp

It at least makes sure that the back-end isnt trivially discovered and hammered on.. (yes this is security through obscurity - but please lets not have this argument unless you mail me with a subject line - "Security by obscurity is useless and here are my banking details to prove it" )

Whats mildly interesting is that considering the possibility of injection targeting through a search for "login.asp", then a simple speedbump would have been naming your resource "login_to_customer_portal.asp". Of course this doesnt make you un-findable, and doesnt protect you from directed attack, but neither did running your SSHD on a non standard port, but we do that anyway to make sure that we dont get hit by the next big SSHD worm..