Follow

Q&A: How to block/disallow access to URI?

Question

During penetration tests, may appear that some sensitive URLs are accessible from internet (back-end part of application: admin, configuration, .git files etz.)

 

Environment

  • WAF Policy

 

Answer

  • WAF Policies block only explicit URLs and folders. 
    • This does not include subfolders and files, e.g. /examples/jsp/snp/snoop.jsp or /.well-known/
  • Subfolders and files can be blocked by Attack signatures, for example:
  Violations Attack signature detected
  Attack Type Predictable Resource Location
  Signature Name(s) Web-Server examples dir access
 
 
  Violations Attack signature detected
  Attack Type Predictable Resource Location
  Signature Name(s) Unix hidden (dot-file) access
 
  • If URLs are not blocked by Attack signatures, then explicit blocking should be enabled.
    • Example:
      • /admin.html
      • /test/  -- Note:in this case subfolders and files inside test folder won't be blocked, ONLY /test/ location

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request