December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 6-7: Detecting Source Code Leakages
This recipe shows you how to find source code leakages in response body data.
Ingredients
- ModSecurity
- modsecurity_crs_50_outbound.conf
- @pm operator
- @rx operator
There are a number of different scenarios in which dynamic application code does not execute server-side and the source code is instead sent directly to the client. Although some code leakages are a result of malicious intent, in other situations they are an unintended by-product of a system change. For example, if the OS file execution bit is accidentally removed, the web application may not execute code with the file and instead sends the contents to the client. Currently a public vulnerability allows remote attackers to easily reveal the source code of PHP-CGI applications. By simply adding -s directly after the question mark character at the beginning of the query_string, an attacker can trick the application into showing its source code, as shown in Figure 6-3.
Figure 6-3: PHP-CGI Source code disclosure attack
This is obviously an undesirable situation, because it can disclose sensitive internal information about your web application logic. Therefore, it should be prevented at all costs. The OWASP ModSecurity Core Rule Set includes a file called modsecurity_crs_50_outbound.conf, which inspects the response body content and looks for signs of source code that did ...