is nothing more than  Security Through Obscurity . Its important to

understand that simply because a resource is unknown to an

attacker, it still remains accessible directly through a specific URL.

The specific URL could be discovered through a Brute Force probing

for common file and directory locations (/admin for example), error

messages, referrer logs, or perhaps documented in help files. These

resources, whether they are content or functionality driven, should be

adequately protected.

Example

Many web applications have been designed with administrative

functionality location directory off the root directory (/admin/). This

directory is usually never linked to anywhere on the web site, but can

still be accessed using a standard web browser.

Since the user or developer never expected anyone to view this page

since its not linked, adding authentication is many times overlooked.

If an attacker were to simply visit this page, they would obtain

complete administrative access to the web site.

1.3  Weak Password Recovery Validation

Weak Password Recovery Validation is when a web site permits an

attacker to illegally obtain, change or recover another user's

password. Conventional web site authentication methods require

users to select and remember a password or passphrase. The user

should be the only person that knows the password and it must be

remembered precisely. As time passes, a user's ability to remember

a password fades. The matter is further complicated when the

average user visits 20 sites requiring them to supply a password.

(RSA Survey: http://news.bbc.co.uk/1/hi/technology/3639679.stm)

Thus, Password Recovery is an important part in servicing online

users.

Examples of automated password recovery processes include

requiring the user to answer a  secret question  defined as part of the

12

Copyright 2004, Web Application Security Consortium. All rights reserved.