Web application security - the fast guide 1.1 | Page 78
Chapter 4 - Be the attacker
P a g e | 78
4.12 Map Proofing
Application
After discovering the amount of information leakage from everywhere in your
application, application structure, usage and users, you might think that you
need to stop providing many services. but after all it is always about finding the
right balance between security from one side and functionality and usability
from the other.
To fulfill this balance, administrator and application developer can benefit from a
list of simple tips that might minimize the information leakage to an acceptable
limit:
1- Hide your directories contents and structures:
a. If you are using IIS, minimize information leakage by limiting the
content of location header. To prevent the default behavior of
sending the server ip you can modify the IIS metabase using the
adsutl.vbs script installed by default in the folder
Inetpub\adminscripts in windows systems.
C:\Inetpub\adminscripts\adsutil.vbs set w3svc/UseHostName
True
C:\Inetpub\adminscripts\net start w3svc
if you are using Apache server you can stop directory enumeration
by deactivating the (mod_dir) as follow