Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test for common backup archive files #27

Merged
merged 4 commits into from Apr 29, 2019
Merged

Add test for common backup archive files #27

merged 4 commits into from Apr 29, 2019

Conversation

timonegk
Copy link
Contributor

@timonegk timonegk commented Jun 6, 2018

This pull request adds a simple check for common backup archive files. The list of files consists of backup.zip, www.zip, wwwroot.zip, backup.tar.gz, www.tar.gz and wwwroot.tar.gz (the file names were inspired by https://github.com/unamer/CTFHelper/blob/master/CTFhelper.py#L82).
Even though these files do not exist very often (approx. 0.1% of the checked hostnames), the security implications of a found backup are huge. A backup archive does not only contain source code which provides an insight into the site structure but it may also contain secret keys, database passwords or database dumps. Additionally, the test is inexpensive requiring only six HTTP requests.

@hannob
Copy link
Owner

hannob commented Jun 19, 2018

This sounds reasonable, but I wonder if there's some justification for the filenames. It looks a bit arbitrary. Did you do scans and can give a distribution of how common these filenames are? did you see attacking attempts in webserver logs?

@timonegk
Copy link
Contributor Author

timonegk commented Jul 3, 2018

The file names are just the ones that I found in the above mentioned file. A scan on one million websites reveals the following name distribution:

backup.zip: 318
www.zip: 156
wwwroot.zip: 108
backup.tar.gz: 95
www.tar.gz: 16

Since wwwroot.tar.gz has not be found, it should probably be removed from the list.

Additionally, I just had the idea to add the files [hostname].zip and [hostname].tar.gz. From the small amount of scans that I already ran with these additional files, they seem to occur more often than the ones specified above. I will add the according commit to this pull request.

- remove wwwroot.tar.gz
- add [hostname].zip and [hostname].tar.gz
- add [domain].zip and [domain].tar.gz

See #27 for further information.
@hannob
Copy link
Owner

hannob commented Mar 10, 2019

@timonegk can you contact me directly, e.g. via email? (find my contact info here https://hboeck.de/en/contact.html )

@rugk
Copy link

rugk commented Apr 23, 2019

Considering https://www.golem.de/news/websicherheit-datenlecks-durch-backup-zip-1904-140564.html has been published now, I guess you can also merge this here? 😃

@ghost
Copy link

ghost commented Apr 24, 2019

Like @rugk I think so too.
Please merge it to the test.

Copy link

@rugk rugk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possibly only document it in the TESTS.md file before…

@hannob
Copy link
Owner

hannob commented Apr 29, 2019

I'll merge this for now so you get credits in the git history, but I'll replace it with a somewhat different test code and will start by using backup.* and will gradually test other filenames and decide whether I'll add them.

@hannob hannob merged commit 790afdc into hannob:master Apr 29, 2019
@hannob
Copy link
Owner

hannob commented Apr 30, 2019

FYI I renamed the test to backup_archive for consistency (all other tests are singular and the messages were as well). Also opened an issue for further filenames: #41
I'm running tests with different filenames and will add them as they seem worthy.

@michael-k
Copy link

all other tests are singular

What about test_backupfiles and test_phpwarnings? Should they be renamend as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants