Owasp hacking problems
Akwak.
Role of information leakage: We are preparing reconnaissance searching for vulnerabilities and holes for more vital attacks. So we are looking for any information about the structure of server, database, or site we want to attack.
OWASP 2007---OWASP 2007 A6 - Information Leakage---PHP MyAdmin Console
1. First approach: If we somehow are able to obtain access to PHP MyAdmin Console we can observe following information
So we are able obtain basic information about our server side. It means we can try to attack default configuration of server.
2. Second approach (deeper): If we can have access to php my admin console it is very likely that we can acknowledge the structure of database (probably we cannot ask queries because of missing tables of phpmyadmin )) which can help us to do better sql injections.
Prevention: Block default users of phpmyadmin or to turn it off
OWASP 2007---OWASP 2007 A6 - Information Leakage---PHP Info Page
This sub page is strictly to catch details which can expose structure of victim site. Here I show some of information that can be useful in other attacks.
Here we can obtain information about more specific location of the server and about its software
Here we can find out what hash engines are supported by the site to narrow iterations of breaking the password hash.
OWASP 2007---OWASP 2007 A6 - Information Leakage---Robots.txt
The disclaimer of the site probably should tell you everything.
“IIf a sensitive file is placed in robots.txt without proper authorization controls protecting the file, site visitors may discover the contents and browse to the files. “
What about information leakage? If we go to the robots file we can try to get access to every location stored hoping to get some unrestricted files.
Prevention: Restrict access to files in robots.txt
OWASP 2007---OWASP 2007 A6 - Improper Error Handling---User Info...
adiau2