Avatar of Dinesh Kumar
Dinesh Kumar
Flag for India asked on

Web application -- Security Issue

The web application exposes the presence of the following site directories in view source.
 
a)     /app
b)     /scripts

e.g.  <script src="/scripts/JSBundle?v=MPLXzkm07-7hkW9Seha1pOPCgFUXV"></script>

This folder details can be used in attacks.

what can we do so that site folder names are not exposed and still allow site to work.

The site is created in asp.net and hosted on IIS

Thanks
meetDinesh
SecurityMicrosoft IIS Web ServerASP.NET

Avatar of undefined
Last Comment
Dinesh Kumar

8/22/2022 - Mon
kaufmed

Are you sure this is a concern? If you're folders are that sensitive, then in my opinion you are putting things in the wrong directories. What makes you think this is a security concern?
gheist

Can you list those directories? If not there is no concern, if you can - you need to disable listings.
btan

Control search engine crawlers with robots.txt file - e.g. use option such as in .txt
Disallow: sets the files or folders that are not allowed to be crawled. http://www.inmotionhosting.com/support/website/restricting-bots/how-to-stop-search-engines-from-crawling-your-website

Configure <authorization> elements within your application's Web.config file to control which users and groups of users should have access to the application. You don't need to impersonate for URL authorization to work. In ASP.NET 2.0, URL authorization applies to all files under the given folder. The Web.config usually refer to all of the files in the current directory and all subdirectories (unless a subdirectory contains its own Web.config with an <authorization> element. E.g. to prevent all access to a folder:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>
Your site permissions will be included in the site’s files themselves.
http://www.slickit.ca/2010/01/configuring-iis-directory-security.html

Consider using the HttpForbiddenHandler for files that your application uses internally, but are not intended for download. Also secure the files with Windows ACLs to control which users can access the files, when logged on to the Web server.
https://msdn.microsoft.com/en-us/library/ff649337.aspx

Not neglect the standard to add NTFS permissions to the share's folder. Also need to set the share's permissions to grant at least read access to either the ASP.NET process account or the impersonated identity (if your application is configured for impersonation).
To give Read, Execute, and Write permissions to MyApp file system directory for user Foo, add the following line to the Manifest.xml file:
<setAcl path=”MyApp” setAclAccess=”ReadAndExecute, Write” setAclUser=”Foo” />

To set the ACL on the path MyApp/Upload to allow anonymous users to upload content, add the following line to your Manifest.xml file:
<setAcl path=”MyApp/Upload” setAclAccess=”Write” setAclUser=”anonymousAuthenticationUser” />

Note that anonymousAuthenticationUser is a special token that will resolve to your configured anonymous authentication identity.

To grant Read access to the MyApp\Data folder for the application pool identity, add the following line to the Manifest.xml file:
<setAcl path=”MyApp/Data” setAclAccess=”Read” />
http://www.iis.net/learn/get-started/planning-for-security/secure-content-in-iis-through-file-system-acls

Disable directory browsing https://technet.microsoft.com/en-us/library/cc731109(v=ws.10).aspx
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
David Johnson, CD

those areas are required for the browser to work if they are referenced in your webpages
Dinesh Kumar

ASKER
let me ask in other ways:

The web application exposes the presence of site directories. This can inadvertently provide details about the application that can be used in attacks.

Findings:

The web application exposes the presence of the following site directories:
 
a)     /app
b)     /scripts
c)      /stylesheets
This can inadvertently provide details about the application that can be used in attacks.

a note, These folder are displayed when we see view source of html page.
ASKER CERTIFIED SOLUTION
David Johnson, CD

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
kaufmed

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
btan

good to review on the "need to" basis and least privileged principles to tighten the folder access so that the apps also do not "break" unnecessarily due to access denial.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Dinesh Kumar

ASKER
I just talked with a  Security people, they said its the standard to not show any folder to Browser.
Dinesh Kumar

ASKER
I just talked with a  Security people, they said its the standard to not show any folder to Browser in view source currently app, js and stylesheets.

Do we have any way to not show them and still the site works.
Dave Baldwin

I just talked with a  Security people, they said its the standard to not show any folder to Browser.
I'm sorry but that is not even possible.  You need to go look at the "View Source" of a lot web sites so you can see that every folder that contains files used in the web page is listed in the HTML content.  Start with this page.  There are folder links for 'articles', 'videos', 'members', 'Expert_Testing', and "/topics/security/", "/topics/microsoft-iis-web-server/", "/topics/asp-net/".
Your help has saved me hundreds of hours of internet surfing.
fblack61
gheist

It is standard to have images in images/ folder (or on different domain for big sites like Google)
There is no easy way to scramble content so that no folders are shown in page source (or static resources being loaded from constant URL)
btan

What is the security control if directory browsing is disabled and the site goes through security testing sanctioning it clear at that instance on clear state for existence of web vulnerability esp like remote file inclusion (RFI) or equivalent. they are all attempts to reach a file but close up. Hardening is a better scheme rather than "obscurity". The folder permission can still be considered as I shared to allow read. But to totally hide that I that can break the apps - so what is the security tm concern and knowing the threat use case will be good.

Note that even web page will load script and images etc to run and browser hover over may also show it  under properties (right click on object) on the "Address (URL)". That to me is also revealing too..
Dinesh Kumar

ASKER
Yes.. they are standard folders and It does not make sense to hide them however I need to check them manually those JS files if there is any sensitive information is there to close this.
Thank you.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Shalom Carmel

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
gheist

When you open source of this page you see:
<link href='//fonts.googleapis.com/css?family=Open+Sans:400,300,700' rel='stylesheet' type='text/css'>
    <link rel="stylesheet" href="//experts.cachefly.net/css/2/46ee452ed928e168329ba188ab99c7181881a71c366ba69a84ff17bc23521433.css" media="all" />
    <link rel="stylesheet" href="//experts.cachefly.net/css/2/6fd7990c7b61f291d70767fcf90ff88c92a1571fcafdabed97d3ee6041590c27.css" media="all" />
    <script src="//experts.cachefly.net/js/2/d487b0d4d961a96067ced6f47d2cc74d5c1046a073b76c1a7e9d6e98962617ef.js" type="text/javascript"></script>
    <script src="//experts.cachefly.net/js/2/9a393723cc0e5612ef7741131d89453bb9bb8abcaf08697ce0380119a5d2ca52.js" type="text/javascript"></script>

Open in new window

You mean e-e is insecure?
btan

the js folder will depends on your application file but if you say the standard jquery js file then I do not see any sensitive. As mentioned, it is not effective to hide as security concerns is probably to deny access and if you pass online security checks such as sitecheck (https://sitecheck.sucuri.net//) or what your security team proposed to check against the web scanner tools, I do not see any further hardening except from your app codes. the source .cs should not be in those standard folder and remove from public access. Only the assembled and compile dll are likely loaded but not retrieved to client.

As prev mentioned, hardening is key to be holistic rather than pinpoint specific perceived "gap" per se. Do consider review it as a whole, can check on Urlscan v3.0 and using URL Rewrite to Prevent Image Hotlinking for further tightening esp for self-containment of service and only within the site and not external site. The others are as per the authz stated. It is pretty tough to stop access for the sake of security if the latter is a false positive when all low hanging risk are closed. The admin and user internal access control of the web server is separate discussion from public access  
http://www.codeproject.com/Articles/291562/Asp-net-web-application-Security-Review-Dos-Dont
SOLUTION
David Johnson, CD

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
kaufmed

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
David Johnson, CD

yes you should have directory browsing disabled, ask them if this is what they mean.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
btan

then security folks is not clear in the required then, it is all part of hardening as mentioned so earlier upfront in the posting ... urlscan lockdown the fundamental and if they really needs compliance then establish the baseline using CIS standards...but compliance does not mean secured.
gheist

If you go to directory /stylesheests/ - do you see directory listing with files or some error?
Dinesh Kumar

ASKER
Thank you all for your timely support.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.