If its TRACE enabled, then you might want to check on Cross site Tracing
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
If its CONNECT enabled, then you might want to check on HTTP Connect tunneling.
You can manually find the vulnerability if you have the source or sometimes by guessing/experience. I can give you a quick look on how its done manually.
If you have the source, lets take php, you look for include "<filename>" where filename is obtained as input from the client usually as a get/post parameter. This is almost always the condition for directory traversal. You then replace filename with "../../../../etc/passwd" and check if its vulnerable to directory traversal attacks.
The guessing knowledge is usually obtained from experience like you get to know that sometimes people dynamically include stylesheets based on user input. But it is not possible to check all possible scenarios manually. Hence the tools. In order to obtain that kind of knowledge check the heuristics used by the tool for detecting directory traversal vulnerabilities.
yes sir,but i don't have the source code of the web-page,but I know what kind of "language",it is coded in ..
I also believe they have security mechanism like "url filtering" or "query filtering technologies",to restrict those things ,Also i am not just looking to get the "password",because most sites protect their server's password file by using "shadow gaurd",Also sir do you got any suggestions for learning these specific attacks "manually"?
dante is right, it is quite tedious to find directory traversing manually. You have to try many combinations, like this on a Linux/Unix machine:
../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd
But it may not work (most probably it won't). You then search for /cgi-bin, /scripts, Front Page stuff, etc.
If I were you, I would use nikto and sniff all it's requests. You will have hours of pure pleasure learning about possible URI!
Looks like a good suggestion,But before using those kind of tools,i am trying to understand their working logic,because i am looking forward to improve my knowledge,Also can you tell me other than "grabbing" passwords ,what else we can do with this directory traversal?
just viewing directories?
if possible tell me sir
Sometimes, .. or perhaps .. is filtered and therefore a custom "bypass" usually has to be made though if it's exploitable, then it's relatively simple. Just a heads up that not all directory traversal vulnerabilities are like ../../../etc/passwd
yes still there should be ways to bypass "query filtering",for ex if / is filtered by the target we can bypass it by including "/" like this .
Also i am looking forward to learn directory traversals other than "../../../etc/passwd " this
any-way thanks for answering my questions
GCIH - GIAC Certified Incident Handler : Passed my GCIH
