Adam Muntner is speaking at the inaugural Phoenix OWASP chapter meeting.

Adam will share his experiences about how organizations can integrate application security into all phases of the Software Development Life Cycle, from the creation of functional specifications all the way through deployment, maintenance, and updates. He will explain how to “bake security in” rather than “ice it on.”

This Phoenix OWASP chapter is dedicated to bringing together local businesses, students, and web and security enthusiasts in order to discuss current events, trends, tools, and offensive/defensive techniques related to web application security.

Where: UAT - University of Advancing Technology Auditorium
2625 West Baseline Road
Tempe, Arizona
85283-1056

When: 6:30PM, Thursday, Nov 9th
More information is available at http://www.owasp.org/index.php/Phoenix

About OWASP

The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. Everything here is free and open source. The OWASP Foundation is a 501c3 not-for-profit charitable organization that ensures the ongoing availability and support for our work. Participation in OWASP is free and open to all.

Event Theme: Risk Assessment
Date: Tuesday, February 6, 2007
Time: 11:30 a.m. - 5:00 p.m.

http://phoenix.issa.org/

Details coming soon…

Not a bad way to inaugurate the blog. OK, so this is post #2 and not truly an inauguration, but it is a brand spanking new way of doing web server directory enumeration that hasn’t been mentioned anywhere else.

While playing with the Google Webmaster tools, I came across the “Sitemap” XML protocol which is used to inform search engines about pages on your website that are available for crawling.

The protocol spec is at https://www.google.com/webmasters/sitemaps/docs/en/protocol.html

Think of this as the anti-robots.txt - instead of URLs with Disallow: tags, you have URLs for which the web administrator is saying “Index me.”

Sitemap makes anti-forensics Google hacking more productive. It’s only a matter of time before tools like Wikto use it the same way that they use robots.txt to locate files.

There are two interesting security-related issues with Sitemap, one significantly more interesting than the other.

First, you can find pages with it that aren’t indexed by Google. The Sitemap protocol spec says “Using this protocol does not guarantee that your webpages will be included in search indexes. (Note that using this protocol will not influence the way your pages are ranked by Google.)” This is definitely the lesser of the interesting points.

Far more interesting - you can find pages in the sitemap.xml which would not be indexed if it weren’t for the Sitemap protocol…

You can find some interesting stuff by querying for Sitemap pages…

“.htaccess” inurl:sitemap filetype:xml
“global.asa” inurl:sitemap filetype:xml

Whew.

There are a LOT of automagic-generation Sitemap scripts out there which create Sitemap.xml files not by spidering a site, as they should… but by reading the contents of directories inside the web root from the local filesystem and creating the Sitemap.xml file from that.

Ouch.

I don’t blame Google - I think the Sitemap protocol is a good idea. It helps their search engine find pages which otherwise might not get indexed. Unfortunately, due to a plethora of rotten Sitemap.xml generation scripts, this is a directory enumeration issue that is going to be with us for a long, long time to come.
In plain English, a bunch of lousy webscripts which aim to make webmasters lives easier by making web sites content more indexable by search engines ends up making web servers more vulnerable by identifying sensitive files and paths.

-Adam

UPDATE

It’s worth mentioning that Google Sitemap had some security problems in the past…

David Naylor breaks the vulnerability down…

http://www.davidnaylor.co.uk/archives/2005/11/18/google-sitemaps/