New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add test for common backup archive files #27
Conversation
|
This sounds reasonable, but I wonder if there's some justification for the filenames. It looks a bit arbitrary. Did you do scans and can give a distribution of how common these filenames are? did you see attacking attempts in webserver logs? |
|
The file names are just the ones that I found in the above mentioned file. A scan on one million websites reveals the following name distribution:
Since Additionally, I just had the idea to add the files |
- remove wwwroot.tar.gz - add [hostname].zip and [hostname].tar.gz - add [domain].zip and [domain].tar.gz See #27 for further information.
|
@timonegk can you contact me directly, e.g. via email? (find my contact info here https://hboeck.de/en/contact.html ) |
|
Considering https://www.golem.de/news/websicherheit-datenlecks-durch-backup-zip-1904-140564.html has been published now, I guess you can also merge this here? 😃 |
|
Like @rugk I think so too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly only document it in the TESTS.md file before…
|
I'll merge this for now so you get credits in the git history, but I'll replace it with a somewhat different test code and will start by using backup.* and will gradually test other filenames and decide whether I'll add them. |
|
FYI I renamed the test to backup_archive for consistency (all other tests are singular and the messages were as well). Also opened an issue for further filenames: #41 |
What about |
This pull request adds a simple check for common backup archive files. The list of files consists of
backup.zip,www.zip,wwwroot.zip,backup.tar.gz,www.tar.gzandwwwroot.tar.gz(the file names were inspired by https://github.com/unamer/CTFHelper/blob/master/CTFhelper.py#L82).Even though these files do not exist very often (approx. 0.1% of the checked hostnames), the security implications of a found backup are huge. A backup archive does not only contain source code which provides an insight into the site structure but it may also contain secret keys, database passwords or database dumps. Additionally, the test is inexpensive requiring only six HTTP requests.