Arctic Forum

Brute Forcing Directories

Many off the shelf applications like Apache web server, Django framework and Express are not secure by default; many use default credentials and even leave sensitive pages open to the public including:

• Admin panels

• Server status checks

• Debug pages

These pages contain information and functionality like paths to sensitive files on the server and version information, that can allow an attacker to learn more about the system.

Attackers can enumerate directories by brute-forcing. This evolves sending requests to different pages on the server and using the server's response to verify the existence of a pages (and even access the page).

Depending on the application used, an attacker can easily find sensitive information when accessing the application. Examples include:

• Comments and API keys in the source code

• Password (Hashes) in requests and responses:

  • For responses, having sensitive information as part of GET requests is insecure as these requests are usually logged for debugging. This would mean anyone with access to the logs has information about it

  • For responses, sensitive information is usually put in headers, cookies or source code

After checking the aforementioned locations, an attacker can mostly use this extra information to enumerate the application. Examples of enumeration include:

• Cracking password hashes in the response to access user's accounts

• Using API keys to access functions and API calls without authorization

• Find hidden URLs and System information that they can use to find public exploits

Checking the source code of the sysadmin directory

The GitHub page has the admin credentials

Login with admin credentials