I have been writing about the “.well-known” directory a few times before. Recently, about attackers hiding webshells &#;x26;#;x5b;1&#;x26;#;x5d;, and before that, about the purpose of the directory and why you should set up a “/.well-known/security.txt” file. But I noticed something else when I looked at today&#;x26;#;39;s logs on this web server. Sometimes you do not need a honeypot. Some attackers are noisy enough to be easily visible on a busy web server. This time, the attacker hit various URLs inside the “.well-known” directory. Here is a sample from the > 100 URLs hit:
I have been writing about the “.well-known” directory a few times before. Recently, about attackers hiding webshells [1], and before that, about the purpose of the directory and why you should set up a “/.well-known/security.txt” file. But I noticed something else when I looked at today’s logs on this web server. Sometimes you do not need a honeypot. Some attackers are noisy enough to be easily visible on a busy web server. This time, the attacker hit various URLs inside the “.well-known” directory. Here is a sample from the > 100 URLs hit:
.well-known/ai-plugin.json
.well-known/apple-app-site-association
.well-known/oauth-authorization-server
.well-known/openid-configuration
.well-known/terraform.json
Before you read any further: Some of these files are required. Do not just delete them without first talking to your developers or system administrators!
terraform.json: As the name implies, it is used by Hashicorp’s Terraform product. Terraform uses this file to discover API endpoints. A bit like OpenAPI/WSDL [1]
ai-plugin.json: Sites can advertise various AI plugins, particularly ChatGPT. The file describes the plugins (for humans and machines) and defines how to interact with them.
.well-known/apple-app-site-association: Developers may indicate that a specific website/domain is associated with a particular app. This allows content from the website to be used in the app, and credentials may be used across the website and app.
.well-known/oauth-authorization-server and .well-known/openid-configuration: These two are similar in content and purpose. If you use OAuth or OpenID Connect (OIDC), these URLs will help a relying party to figure out what keys to use to verify any signatures created by this service.
Given this small sample, it is pretty apparent why an attacker may scan these. They are handy for reconnaissance and finding out the relationships between sites. As mentioned above, do not blindly delete them as they may be necessary. However, the content of these files should be controlled and reviewed. While at it, ensure you have a .well-known/security.txt file.
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Leave A Reply