Recipe 6-7: Detecting Source Code Leakages
This recipe shows you how to find source code leakages in response body data.
Ingredients
- ModSecurity
- modsecurity_crs_50_outbound.conf
- @pm operator
- @rx operator
There are a number of different scenarios in which dynamic application code does not execute server-side and the source code is instead sent directly to the client. Although some code leakages are a result of malicious intent, in other situations they are an unintended by-product of a system change. For example, if the OS file execution bit is accidentally removed, the web application may not execute code with the file and instead sends the contents to the client. Currently a public vulnerability allows remote attackers to easily reveal the source code of PHP-CGI applications. By simply adding -s directly after the question mark character at the beginning of the query_string, an attacker can trick the application into showing its source code, as shown in Figure 6-3.
Figure 6-3: PHP-CGI Source code disclosure attack
This is obviously an undesirable situation, because it can disclose sensitive internal information about your web application logic. Therefore, it should be prevented at all costs. The OWASP ModSecurity Core Rule Set includes a file called modsecurity_crs_50_outbound.conf, which inspects the response body content and looks for signs of source code that did ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
