IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-foudil-securitytxt-08

Edwin Foudil <contact@edoverflow.com> Sat, 28 December 2019 13:02 UTC

Return-Path: <contact@edoverflow.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFF9120026; Sat, 28 Dec 2019 05:02:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GsYKKAkTOa1D; Sat, 28 Dec 2019 05:02:11 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95438120020; Sat, 28 Dec 2019 05:02:11 -0800 (PST)
Received: from umb ([146.90.55.225]) by mrelay.perfora.net (mreueus004 [74.208.5.2]) with ESMTPSA (Nemesis) id 1MLyaj-1j2Rb239sX-00HtVD; Sat, 28 Dec 2019 14:01:58 +0100
Date: Sat, 28 Dec 2019 14:01:52 +0100
From: Edwin Foudil <contact@edoverflow.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Yakov Shafranovich <yakov@nightwatchcybersecurity.com>, "secdir@ietf.org" <secdir@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-foudil-securitytxt.all@ietf.org" <draft-foudil-securitytxt.all@ietf.org>
Message-ID: <02D86F64-0AC0-43DB-8EDB-0B1938713A81@getmailspring.com>
In-Reply-To: <24070.38156.658126.30539@fireball.acr.fi>
References: <24070.38156.658126.30539@fireball.acr.fi>
X-Mailer: Mailspring
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5e075240_1f65af52_b6c"
X-Provags-ID: V03:K1:DUIQhOkaUv8IweLUmFx3aWuGgjrUTil+5/Dwxp6qlRvIsWHi7h6 b7QeXtDFV3e4+8ywgWbJnenHdgcMPvjRQ6fvANIOCTFcyIK4hDUsZ3muKyAS6r5yT2mkpAD Y9iXUpjhmPTZqT7AOycvfKV2yM9o+GwS6e2xwWrZiaEy02ix4vmZXu1mGg1zcxUAESXNoNf EDatR6eOjauVQYdR3p5Gw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:b9blBROAWes=:Dw/a4J6eLEGoIluKIsyFRi bQ12pu1hR317J9D0vXTUkijfIz98f9utYrrSq+By0WzX9dpthokGF+f1PTVBbfZLy24QuJcl8 sZBVTh/kbG5+220wxBAeSkE4v2IlhD8eKjVs/xo2fuKPTnGFh8PMVmGd2odlHk56Pjx8AzuSn OoAny7zcL41hSlwNTTnDvVJawZvBzYRMcpV0TfDn9u0B0BQp8DtUcxICpy/JU6DsJW74dWXXU Bt8Pn41i2E/rIRDJJYMhG3mNYGaoOCwYTDtFpi1xh6pFPZ2MaPV+nPFt9ud9JvuGbLyNDuykU wbA3IY0Uy7vIIn2jjjp7Nj57IqdiSIbXOuvusdau1c/7HqTuiPfSfSy5CPVt5p1pkkR2hsdft goINlj8d52zPuZNIXraQWkoMK1znShN74AoiY0xECJk8ITvPPA8TSiInM1E4YJ3182Wl9Xwz9 KTIa/YANEAcibGBZ44yhCkJbl/KRYqvVrH5JqQ73j6UkrF21ns83oneTjkhMwaDjeO/zAOC63 bylipknX8HnAre4J0UjUQrKjNAzMY7ze8V7qDQZS0Q2jTtG7k8B3JqJUQgxnC3hsYApKEeBsX zn/N1bsF7sEOq01W4gnCdt1ibKXrdhZklpk/4Qb24banuQOd18SIabFRAWhE63aDbGU5hQKPz cpYFXcVHXZMXHXVniK35RBe4102ECwTixNR1sKEBCqphBKWnSLJNTQWgvaWozEYFo2MDtQrpi lHeicR4EOa38v/FGM5Kw596+AuIaKXjsHg7X6uDF1Jqj0d4UgOt6rH21WQwHSFL7PbjFFHwA4 urhfBHjhM8sXKrWsX1K9me+ZkU0S6zloj1ZVDle4XqxJu/s7jrHtVlzzQxzs6SjfMo9XOLN4O F1D1vrQDHmdTXDp4p0zuWNLftRz6U++rWdDfQKvgc=
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/LWx5CCVYukTPoSTycfzSmRiZIR4>
Subject: Re: [secdir] Secdir last call review of draft-foudil-securitytxt-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Dec 2019 13:35:51 -0000

On Sat Dec 28, 2019 at 1:34 AM Tero Kivinen wrote:
> I am bit concerned about the need for tooling for this file. Why do
> you think we need tooling. Is there really going to be so many
> vulnerabilities found in general that such tooling is required. My
> take would be that security researcher would simply cut & paste the
> contact information from this file and use that, and that is the
> tooling required. Or directly click the link in policy keyword to read
> that ect.

There is already a demand for tooling by the public; this was not necessarily something we (the authors) came up with. Some of the published tooling developed by members of the public can be found here: https://securitytxt.org/projects.
Also, as others have already pointed out in this mailing list, Shodan (https://www.shodan.io/) and disclose.io (https://disclose.io/) index contact information from security.txt files.
Since there is already tooling out there, I think it is safe to say that people do not necessarily want to extract information from a security.txt file manually.
> I can see the reason for redirects, I do not really see that big
> difference of root or /.well-known directories.
>
> In both cases to make redirect you usually need to make .htaccess file
> in that directory or to change the configuration of the web server.

I can back our statements up with real-world cases. I am a bug bounty hunter and actively go after namespace attacks. This attack vector abuses the fact that most applications with users reserve the top-level directory for usernames. Some of my findings include redirects to external pages from /<username>. In addition, all of the cases I have found did not require access to the web server itself.
Please refer to https://edoverflow.com/2018/logic-flaws-in-wot-services/ for a case demonstrating this attack vector in practice.
Applications that use the top-level directory for usernames can be vulnerable to namespace attacks. But I have yet to come across a compromised /.well-known/ directory: websites usually do not allow dot-prefix or directory-like usernames.
- Ed

v2.23.0 | Report a Bug | By Email