文章讨论了".well-known"目录中的重要文件及其用途,并指出攻击者常扫描这些文件进行侦察。提醒不要随意删除必要文件,并建议设置".well-known/security.txt"以增强安全性。 2025-10-2 14:8:39 Author: isc.sans.edu(查看原文) 阅读量:10 收藏
I have been writing about the ".well-known" directory a few times before. Recently, about attackers hiding webshells [1], and before that, about the purpose of the directory and why you should set up a "/.well-known/security.txt" file. But I noticed something else when I looked at today's logs on this web server. Sometimes you do not need a honeypot. Some attackers are noisy enough to be easily visible on a busy web server. This time, the attacker hit various URLs inside the ".well-known" directory. Here is a sample from the > 100 URLs hit:
.well-known/ai-plugin.json
.well-known/apple-app-site-association
.well-known/oauth-authorization-server
.well-known/openid-configuration
.well-known/terraform.json
Before you read any further: Some of these files are required. Do not just delete them without first talking to your developers or system administrators!
terraform.json: As the name implies, it is used by Hashicorp's Terraform product. Terraform uses this file to discover API endpoints. A bit like OpenAPI/WSDL [1]
ai-plugin.json: Sites can advertise various AI plugins, particularly ChatGPT. The file describes the plugins (for humans and machines) and defines how to interact with them.
.well-known/apple-app-site-association: Developers may indicate that a specific website/domain is associated with a particular app. This allows content from the website to be used in the app, and credentials may be used across the website and app.
.well-known/oauth-authorization-server and .well-known/openid-configuration: These two are similar in content and purpose. If you use OAuth or OpenID Connect (OIDC), these URLs will help a relying party to figure out what keys to use to verify any signatures created by this service.
Given this small sample, it is pretty apparent why an attacker may scan these. They are handy for reconnaissance and finding out the relationships between sites. As mentioned above, do not blindly delete them as they may be necessary. However, the content of these files should be controlled and reviewed. While at it, ensure you have a .well-known/security.txt file.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
如有侵权请联系:admin#unsafe.sh