RE: Analyzing WebDAV security from Lachniet, Mark on 2004-09-09 (w3c-dist-auth@w3.org from July to September 2004)

From: Lachniet, Mark <mlachniet@sequoianet.com>
Date: Thu, 9 Sep 2004 16:09:09 -0400
To: <w3c-dist-auth@w3.org>
Message-ID: <0FD9D979B9535D4890AE309799B6D1E59DA065@lansingemail.seqnt.com>

Hello again, sorry for the resend but I didn't get any responses.  I
figured I'd give one more try before giving up.
 
> Hello all,
> 
> Please forgive me if my questions have been covered in other 
> threads, but I have searched the archives and not found what 
> I am looking for.  There was one reference at 
> http://lists.w3.org/Archives/Public/w3c-dist-auth/2001JanMar/0
> 032.html that got somewhat close, but not close enough.  I 
> also tried posting to a penetration testing listserve with no results.
> 
> In my work, I do a lot of security assessments of web sites.  
> Many of them have WebDAV set up, and most of them are 
> moderately well secured.  However, I'm not confident that 
> security analysts are really doing a good job of assessing 
> WebDAV, and I want to make sure I'm doing all I can.
> 
> I'm not really interested in talking about SSL and 
> authentication protocols like Digest, etc. - that's pretty 
> well covered in other places - I am talking just within 
> WebDAV itself.  I'm also not interested in well known and 
> publicised flaws that have been fixed by patches.
> 
> For example, when I come across a web site with WebDAV 
> enabled for the public, I have typically been opening up a 
> session with Cadaver to see if I can get into anything I'm 
> not supposed to.  Inevitably, I can log in, 'cd' to 
> directories that I know exist on the server, and that's about 
> it.  I cannot usually even see any files, collections, or 
> create directories or write files.  I realize this is 
> probably not the best way to test, but alas I am unaware of 
> what else to do.
> 
> So, I guess my questions are:
> 
> 1)  Is there any kind of formal WebDAV security checklists, 
> software or scripts to check settings?  Most scanners (e.g. 
> Nessus) will note the existence of it, but won't do much else 
> that I am aware of.
> 
> 2)  Is there any software to enumerate or brute-force 
> directory space?  Perhaps looking for directories you aren't 
> supposed to see?
> 
> 3)  Is there any software to enumerate or brute force 
> authentication credentials easily?
> 
> 4)  What other types of things should I be doing to help my 
> clients be more secure?
> 
> Thank you in advance for your help and patience.
> 
> Mark Lachniet
>

Received on Thursday, 9 September 2004 20:11:45 UTC