Question
During penetration tests, may appear that some sensitive URLs are accessible from internet (back-end part of application: admin, configuration, .git files etz.)
Environment
- WAF Policy
Answer
- WAF Policies block only explicit URLs and folders.
- This does not include subfolders and files, e.g. /examples/jsp/snp/snoop.jsp or /.well-known/
- Subfolders and files can be blocked by Attack signatures, for example:
Violations Attack signature detected
Attack Type Predictable Resource Location
Signature Name(s) Web-Server examples dir access
Violations Attack signature detected
Attack Type Predictable Resource Location
Signature Name(s) Unix hidden (dot-file) access
- If URLs are not blocked by Attack signatures, then explicit blocking should be enabled.
- Example:
- /admin.html
- /test/ -- Note:in this case subfolders and files inside test folder won't be blocked, ONLY /test/ location
- Example:
- Blocking wildcards: Contact F5 Silverline SOC to develop iRule (name: Disallowed Wildcard URLs).