Arctic Forum
Brute Forcing Directories
Last updated
Brute Forcing Directories
Last updated
Many off the shelf applications like Apache web server, Django framework and Express are not secure by default; many use default credentials and even leave sensitive pages open to the public including:
Admin panels
Server status checks
Debug pages
These pages contain information and functionality like paths to sensitive files on the server and version information, that can allow an attacker to learn more about the system.
Attackers can enumerate directories by brute-forcing. This evolves sending requests to different pages on the server and using the server's response to verify the existence of a pages (and even access the page).
Depending on the application used, an attacker can easily find sensitive information when accessing the application. Examples include:
Comments and API keys in the source code
Password (Hashes) in requests and responses:
For responses, having sensitive information as part of GET requests is insecure as these requests are usually logged for debugging. This would mean anyone with access to the logs has information about it
For responses, sensitive information is usually put in headers, cookies or source code
After checking the aforementioned locations, an attacker can mostly use this extra information to enumerate the application. Examples of enumeration include:
Cracking password hashes in the response to access user's accounts
Using API keys to access functions and API calls without authorization
Find hidden URLs and System information that they can use to find public exploits
Checking the source code of the sysadmin directory
The GitHub page has the admin credentials
Login with admin credentials
