A company-wide penetration test result shows customers could access and read files through a web browser.
Which of the following can be used to mitigate this vulnerability?
Correct Answer: B
A company-wide penetration test result shows customers could access and read files through a web browser.
This indicates that the web server is not configured properly to prevent unauthorized access to the file system.
One of the ways to mitigate this vulnerability is to enforce the control of file directory listings, which means disabling the option that allows the web server to display the contents of a directory when there is no index file (such as index.html or index.php) present. This way, customers cannot browse or download the files that are not intended to be served by the web server. Enforcing the chmod of files to 755 is not a sufficient solution, as it only changes the permissions of the files to allow the owner to read, write, and execute, the group to read and execute, and others to read and execute. This does not prevent the web server from listing the files or serving them to the customers. Implementing access control on the web server is a good practice, but it may not be enough to prevent customers from accessing and reading files through a web browser, as some files may be accessible to anyone by default. Implementing Secure Sockets Layer (SSL) certificates throughout the web server is also a good practice, but it does not address the issue of unauthorized access to the file system, as it only encrypts the communication between the web server and the web browser. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 163. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Network and Internet Security, page 287.