What Is a Directory Harvest Attack?
The easiest way to avoid cross-directory attacks is to choose an appropriate storage method. Avoid using DOM storage in the above situation, because we cannot guarantee the security of DOM storage objects under cross-directory attacks. If we use client-side storage in our application and we don't have control over some directories on the server, we are vulnerable to cross-directory attacks. Depending on the client storage method used, even if you do not explicitly specify to share data with other applications, there is a danger of cross-directory attacks.
Cross-directory attack
- This entry lacks an overview map . Supplementing related content makes the entry more complete and can be upgraded quickly. Come on!
- The easiest way to avoid cross-directory attacks is to choose an appropriate storage method. Avoid using in the above situation
- The ultimate reason is due to the developer not properly restricting access
- Applications that use cookies should be isolated in a separate directory and must be able to control access to all subdirectories under that directory. Then, use the cookie's Path property to restrict access to these directories. Whether or not to choose a Flash LSO needs to be treated flexibly, because only if the LSO is shared with other Flash objects, and the LSO is saved in a directory adjacent to the Web root directory, can it be attacked. Suppose there are two Flash objects on the same host under /Internal/Tools/IssueTracker.swf and /Internal/Tools/HR/TimeSheets/Reporter.swf, and data is shared between the two. As with domain names, developers should specify the most specific directory name possible to restrict access to shared data. In this example, the Flash object should specify the directory name / Internal / Tooles / when creating the LSO object using getLocal (), because this is the most specific directory name common to both Flash objects. Just as we isolate programs in different domains into a single domain in order to prevent cross-domain attacks, developers can also isolate Flash objects that share the LSO into separate directories. In our case, IssueTracker.swf and Report.swf should be moved to a separate directory, such as / Internal / Tools / HR-Special /. In addition, the directory path should also be passed to Flash's getLocal () method so that the LSO can be shared between the two.