Reputation: 118
How can I effectively prevent directory brute forcing?
I have a Script where the main components are stored in subfolders. All components are only accessible from the index.php which acts as controller. When thinking about ways to hide the component folders from public access/visibility I got 2. Options in mind:
- Use .htaccess in every directory to deliver a 403 Forbidden Error.
Place an index.php in every folder with the following php script and a "fake" 404 HTML message.
header('HTTP/1.0 404 Not Found');
I tried both options and made a scan with OWASP ZAP. For the first option it was possible to get the whole structure of the script because for every system folder a 403 was delivered. With the second option OWASP was not able to give me a listing of the script folders because the 404 told it that there is no folder.
Now I don't know which of these methods is the best, htaccess blocks all access but with the fake 404 you can't even see that there is a directory.
Is there a work arround to have the security of .htaccess and the nice obfuscation of a delivered 404?
Edit: Sorry I forgot to mention, due to server restrictions it is not possible for me to move the components outside of the accessible Script Path!
Upvotes: 1
Views: 1173
Answers (2)
Reputation: 28767
PHP can include files outside the document root.
Usually I have this setup:
/www/application - this is the web application root
/www/application/includes - here you find the components
/www/application/root - here you place index.php
This way you don't need to forbid files you don't want to be accessed.
Upvotes: 2
Reputation: 22947
There are two trains of thought in regards to this. First, as stated by @nalply, is to simply move the scripts out of the document root. PHP allows you to include files as far down as the server root, so they simply do not need to be with your actual public content. In my opinon, this is the best way.
The second way would be to use an .htaccess directive. For example, on a specific site I run, I technically unable to implement the first option. So, I place an .htaccess file in any directories that are not meant to be hit by the public that contains the follow code:
deny from all
This disallows a browser from hitting any files in the directory, but you can still include these files via PHP. This would be the second best way.
I would highly advise against using an index.php file that sends HTTP error headers, or displays a message. Other files in that directory are still technically accessible using just this method. If someone knew the path of one of these files, they would be able to access them.
TL;DR Place files in a non-public directory of the document root or use an .htaccess file in each directory. Do not use index.php files to block directory access.
Upvotes: 0
Related Questions
- PHP protect directory from direct URL access
- Protecting folders with .htaccess
- how to protect server directory using .htaccess
- Protecting a directory using .htaccess and .htpasswd
- How can i protect a URL/Directory in my site?
- what is the best way to prevent certain directories of a web site from being directly accessed?
- Limit retries for secured directory with .htaccess file
- How about failed attempts for htaccess password protected directories
- protect folders via htaccess
- How can I protect a directory using .htaccess?