August 31, 2021

For webpage that serve files directly by the url, is it safe just to relying on long and obfuscated file name?

Junior backend developer here, just got a task to do some pen test on our kestrel web server. And discovered that our web server is serving user uploaded files directly as a path in url like [www.foo.com/bar/6597f0f1c2da4f04aa3840e6c6633dfa20200601224101358](https://www.foo.com/bar/baz.jpg)[.jpg](https://www.foo.com/bar/baz.jpg).

That worries me a bit as it’s just available for the public, no session key or authentication is needed if the filename is known. However the filenames are hashed and is 49 characters long with a salted MD5 hash as prefix and suffixed by a timestamp.

I tried to do a simple directory traversing attack by adding ../ and such, which our server responds with 404/403. I’ve also tried to see if I can just wget with wildcard to download the files, which our server gives 404 as well.

Yet it still left me concerned, even tho it seems like it’s safe to a degree where a malicious user would need to brute force the 49 characters long filename to access files uploaded by others. But is this setup really safe?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.