Hacker News new | past | comments | ask | show | jobs | submit login

It's only marginally helpful: it doesn't actually prevent attackers from uploading code to your server.

Instead of having 'nc -l 8080 | bash' or whatever as your payload, an attacker can just run code instead. "pwd > /var/www/html/exfiltration.html". If they absolutely need a shell, they could e.g. alter nginx or its config files to run `bash` on POSTs to a hidden route.

This does make it a little trickier, and potentially a little easier to detect. But it certainly doesn't make it so that "they cannot download new code".




>This does make it a little trickier, and potentially a little easier to detect.

Correct, I should have said, it eliminates many easy ways to download code. Defense is depth is all about making the attackers job harder and increasing their likelihood of being detected.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: