0

Just came across to a website that lists all hidden files. I utilized Facebooks directory called: "hashtag/" and the results showed a whole bunch of files from http://www.facebook.com/hashtag/

Here's the website that does this: https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files

So my main question here is, is there any way to protect your site from being scanned by another website showing secret files like: tokens.php, sessions.php, templates/, models/ configs/...etc???

This got me really worried now, just say we are making a website that holds important files and structures and if someone wanted to see what we're holding in that specific folder, is there any kind of way to prevent this from showing from that website or any other sites that does this operation?

I know you can do this by .htaccess, but could you show me an example for preventing scanning on multiple folders?

M50Scripts
  • 38
  • 7
  • When I try to search facebook.com/hashtag/ it does not find any files or directories? – OptimusCrime Mar 11 '16 at 20:13
  • Have you chose: get files extensions for: **.php**??? – M50Scripts Mar 11 '16 at 20:14
  • Yep, not a single file was returned. – OptimusCrime Mar 11 '16 at 20:15
  • Erm OK, I'll post a image just to prove it to you and others, just a sec – M50Scripts Mar 11 '16 at 20:16
  • @OptimusCrime Here's the links: 1) http://www.mediafire.com/view/pzpoy7ll4x90kaa/Capture_240.jpg 2) http://www.mediafire.com/view/nsg3og2l5n6nvne/Capture_234.jpg 3) http://www.mediafire.com/view/nt0ewe8ddoda8b4/Capture_235.jpg 4) http://www.mediafire.com/view/23z03ed6d6gvdve/Capture_236.jpg 5) http://www.mediafire.com/view/yabwcn52w8w2y6x/Capture_237.jpg 6) http://www.mediafire.com/view/e4zxcczbca240o7/Capture_238.jpg 7) http://www.mediafire.com/view/2nrmy7ae9z1sqtk/Capture_239.jpg – M50Scripts Mar 11 '16 at 20:27

2 Answers2

5

The main option is Indexes you can turn them off in your .htaccess with

Options -Indexes

The second option is blocking Deny

Order Deny,Allow
Deny from All

Say you have a folder called inc that holds some files that you don't want accessible via a url but you want your other PHP scripts to be able to include them you toss this rule in an .htaccess file in your inc folder.

Here is a link to a great resource on .htaccess rules https://github.com/phanan/htaccess

cmorrissey
  • 8,493
  • 2
  • 23
  • 27
  • Thank you for your time @cmorrissey :) that helped a lot, it's just scary when someone is viewing hidden structures when they're not supposed to :P – M50Scripts Mar 13 '16 at 18:33
1

One common approach is to put files that are not directly accessed below the web root, so they are inaccessible from the web.

For example, if you have your web root at var/www/html, place your source code outside html and it will be impossible to load from the internet. This, however, requires you to use some sort of loading/requiring the files in your framework, but that is pretty common these days. See PSR-4: Autoloading.

The tool you linked to does not have a "magic" way of finding files, as blocking/hiding files with Apache is absolute, see this answer for more .htaccess details. The tool simply tries a series of words, and common file names, and checks for a valid 200 response. Unless you move your files outside the web root, this would be impossible to defend against.

As you are saying, this is possible deny access to directories and files with .htaccess, and also turn off file listing, however you should note that .htaccess settings are inherited from directory to directory, which means that if you block all access at the root level, this will be applied to every single file and directory it contains.

Community
  • 1
  • 1
OptimusCrime
  • 14,662
  • 13
  • 58
  • 96