Security Defenses

Member Login

Web Enabled Documents

Sunday, 17 July 2011 00:30

Cross platform information in regard to documentation and pseudo comments found within source code for web locations. And, how these comments can leverage access.

Web Document Leakage:

Web documents are served up to millions of users hourly. However, beneath the scenes; web applications (for some companies) are serving up much more information than initially thought.

Dependant upon the browser type you choose (as each one varies) you can view documentation by clicking View > Page Source. Page source codes normally contain HTML coding, and other languages which piece the web application in use together. A typical page source code view will look as follows:

Example of web commenting - Data has been selected. Although this is not showing much information; comments can include devastating details about the network, etc.

Although the comment in the above example shows us that; it's for Internet Explorer compatibility, other comments can provide a lot more information than intended. Such information may include version numbers, software used, and the underlaying system. And, many times, web developers leave notes for other developers by placing comments within their code such as passwords and user names to access portions of the web site. An example of this would be as follows:

An example displaying a user name and password to access a secure location.

Based upon this information, an attacker has some newly added information to his toolkit. For starters, he's got two accounts in which he can attack; a commonly created "test" account, and an administrators account. To make things worse; the developers of our widget web site have also left their company e-mail addresses. However, the plot can thicken here. Many organizations (as we are all users, and if training is not implemented in a security policy) will in fact reuse the same password. Attackers will then attempt to search the internet to find the web mail login for This e-mail address is being protected from spambots. You need JavaScript enabled to view it and attempt to use if not one of the passwords provided in the pseudo code, than both! Chances are, the attackers will be successful if user education and awareness have not been followed.

If this just isn't enough to show you how bad pseudo code can be if it hits the internet, take this into consideration. Not only can a breach in security be enough to send your clients running to a competitor, also think of how bad it would be if your employees are talking trash about your customers! It's happened many times, and has been the talk of the internet in 2006/2007. And, was also covered in our section about document commenting, and metadata information. Many times office personnel will create rants within word documents, re-read them and remove them. And, loand behold; are still inside the documents when they are published (given you know where to look for them.)

Another interesting fact about document commenting is; if it's not removed you will sometimes end up with code as follows:

A rant between two workers; including additional information of user names!

Although the fun really doesn't stop here; it can continue. Many times with machines which have (active) X11 sessions, and are being worked on in real time (with some tools like gedit installed) administrators sometimes forget that gedit actually performs a back up of the last item(s) edited. In the example below, you can see where we've highlighted the information in regard to this. And, if these files reside on your server; you should consider taking them down at once!

A simple information gathering tool which demonstrates how a attacker can view .html~ files which have been archived on the web location.