On Sun, 11 Nov 2007 20:02:23 GMT, ed wrote:
> On Sun, 11 Nov 2007 13:29:44 -0600
> Erik Funkenbusch <erik@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>> Yes, I have shown the server is not IIS, because it cannot be IIS.
>
> Because of a file extension? If one is going to obfuscate through
> headers, then why not with file extensions?
That's a circular argument. The argument was that nobody would bother to
obfuscate their server heard, so why would they obfuscate their file
extension if they weren't going to obfuscate their server header?
Obfuscating the file extension is even further evidence that the server
header can't be trusted.
> BTW. It's pretty easy to remove ASP session cookies.
Just a data point.
|
|