On Sat Dec 28, 2019 at 1:34 AM Tero Kivinen wrote:
> I am bit concerned about the need for tooling for this file. Why do
> you think we need tooling. Is there really going to be so many
> vulnerabilities found in general that such tooling is required. My
> take would be that security researcher would simply cut & paste the
> contact information from this file and use that, and that is the
> tooling required. Or directly click the link in policy keyword to read
> that ect.
There is already a demand for tooling by the public; this was not necessarily something we (the authors) came up with. Some of the published tooling developed by members of the public can be found here: https://securitytxt.org/projects.
Also, as others have already pointed out in this mailing list, Shodan (https://www.shodan.io/) and disclose..io (https://disclose.io/) index contact information from security.txt files.
Since there is already tooling out there, I think it is safe to say that people do not necessarily want to extract information from a security.txt file manually.
> I can see the reason for redirects, I do not really see that big
> difference of root or /.well-known directories.
>
> In both cases to make redirect you usually need to make .htaccess file
> in that directory or to change the configuration of the web server.
I can back our statements up with real-world cases. I am a bug bounty hunter and actively go after namespace attacks. This attack vector abuses the fact that most applications with users reserve the top-level directory for usernames. Some of my findings include redirects to external pages from /<username>. In addition, all of the cases I have found did not require access to the web server itself.
Please refer to https://edoverflow.com/2018/logic-flaws-in-wot-services/ for a case demonstrating this attack vector in practice.
Applications that use the top-level directory for usernames can be vulnerable to namespace attacks. But I have yet to come across a compromised /.well-known/ directory: websites usually do not allow dot-prefix or directory-like usernames.
- Ed
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
