Some random string is appended prefixed by a DOT at the end of URL



  • Recently we have run some Security scan report on one of our web-application and it has one issue reported as a path-based vulnerability. The scenario is as follows.

    The request URL which our application intended to accept is www.host.com/what/ever/ourPage but in security report shows that www.host.com/what/ever/ourPage.old is a malicious URL even our application redirects the request to www.host.com/what/ever/ourPage without any problem. This is what the security scan report says.

    Threat A potentially sensitive file, directory, or directory listing was discovered on the Web server.

    Impact The contents of this file or directory may disclose sensitive information.

    Solution Verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

    We are using a number of tracking and campaign tools as well so not sure whether this is get appended by one of them.

    Is it a good idea to block that kind of request and could I please know why?



  • It looks like your scanner is checking for backed-up or cached copies of webpages with extensions that would result in the entire file being served as plaintext, leaking the server side code and any secrets contained in it. This may happen either because some text editor left a cached copy of the file or because some developer manually created a backup copy.

    Since you say your web server redirects the request to the original file, this looks like a false positive.



Suggested Topics

  • 3
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2