Analyzing WebDAV security from Lachniet, Mark on 2004-08-31 (w3c-dist-auth@w3.org from July to September 2004)

From: Lachniet, Mark <mlachniet@sequoianet.com>
Date: Tue, 31 Aug 2004 11:03:32 -0400
To: <w3c-dist-auth@w3.org>
Message-ID: <0FD9D979B9535D4890AE309799B6D1E59D9FDC@lansingemail.seqnt.com>

Hello all,

Please forgive me if my questions have been covered in other threads,
but I have searched the archives and not found what I am looking for.
There was one reference at
http://lists.w3.org/Archives/Public/w3c-dist-auth/2001JanMar/0032.html
that got somewhat close, but not close enough.  I also tried posting to
a penetration testing listserve with no results.

In my work, I do a lot of security assessments of web sites.  Many of
them have WebDAV set up, and most of them are moderately well secured.
However, I'm not confident that security analysts are really doing a
good job of assessing WebDAV, and I want to make sure I'm doing all I
can.

I'm not really interested in talking about SSL and authentication
protocols like Digest, etc. - that's pretty well covered in other places
- I am talking just within WebDAV itself.  I'm also not interested in
well known and publicised flaws that have been fixed by patches.

For example, when I come across a web site with WebDAV enabled for the
public, I have typically been opening up a session with Cadaver to see
if I can get into anything I'm not supposed to.  Inevitably, I can log
in, 'cd' to directories that I know exist on the server, and that's
about it.  I cannot usually even see any files, collections, or create
directories or write files.  I realize this is probably not the best way
to test, but alas I am unaware of what else to do.

So, I guess my questions are:

1)  Is there any kind of formal WebDAV security checklists, software or
scripts to check settings?  Most scanners (e.g. Nessus) will note the
existence of it, but won't do much else that I am aware of.

2)  Is there any software to enumerate or brute-force directory space?
Perhaps looking for directories you aren't supposed to see?

3)  Is there any software to enumerate or brute force authentication
credentials easily?

4)  What other types of things should I be doing to help my clients be
more secure?

Thank you in advance for your help and patience.

Mark Lachniet

Received on Tuesday, 31 August 2004 15:05:59 UTC