.

Why directory browsing is important?

<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Thu Sep 20, 2012 4:40 pm

Why directory browsing is important?

hi guys.
In all of pentest learning videos which i watch they always say check the webserver to find directory browsing addresses u can find it via nikto or the robots.txt file.
I've find some directory browsing addresses in my friend's site during the pentest now what? What can i do with it? I just report it or have we some methods to penetrate with directory browsing?

Totally why directory browsing is important?
ICS Academy Network Security Certified
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Sep 20, 2012 4:50 pm

Re: Why directory browsing is important?

You simply don't want to readily disclose directory contents. There may be files like db.conf.php.old001 or tax_return2011.pdf lying around somewhere. Granted, such files shouldn't be on a web server in the first place, but if someone forgets about them or makes a mistake, you don't want them openly displayed for the entire world to see.
The day you stop learning is the day you start becoming obsolete.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Thu Sep 20, 2012 5:05 pm

Re: Why directory browsing is important?

ajohnson wrote:You simply don't want to readily disclose directory contents. There may be files like db.conf.php.old001 or tax_return2011.pdf lying around somewhere. Granted, such files shouldn't be on a web server in the first place, but if someone forgets about them or makes a mistake, you don't want them openly displayed for the entire world to see.


Ok man so u mean i must report them to turn the directory service off that set? Nothing more?
ICS Academy Network Security Certified
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Sep 20, 2012 5:11 pm

Re: Why directory browsing is important?

Correct. You could add a warning about making sure only necessary files are present, etc., and add some extra value, but the core solution is indeed just disabling directory browsing.
The day you stop learning is the day you start becoming obsolete.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Sep 20, 2012 5:41 pm

Re: Why directory browsing is important?

Also it doesn't stop at the directory you are currently viewing. Just because the current directory doesn't display anything interesting doesn't mean that $path/../../../../../etc/passwd isnt viewable (have to play with the path's here, can sometimes be loaded by script paths, templates, cookies, hidden form fields, etc.) Check out https://www.owasp.org/index.php/Testing ... _Traversal for more info.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

superkojiman

User avatar

Jr. Member
Jr. Member

Posts: 81

Joined: Thu Sep 20, 2012 9:42 pm

Post Thu Sep 20, 2012 10:49 pm

Re: Why directory browsing is important?

Cyber.spirit wrote:I've find some directory browsing addresses in my friend's site during the pentest now what? What can i do with it?


Depends. Sometimes nothing. Other times, you might find something that reveals more about the site, such as services, or users on the server, configuration files, etc.
OSCP + OSCE
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Fri Sep 21, 2012 2:08 am

Re: Why directory browsing is important?

You can also try and find hidden directories and content through brute force using tools such as dirbuster for example:

https://www.owasp.org/index.php/Categor ... er_Project
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Fri Sep 21, 2012 2:48 am

Re: Why directory browsing is important?

m0wgli wrote:You can also try and find hidden directories and content through brute force using tools such as dirbuster for example:

https://www.owasp.org/index.php/Categor ... er_Project

Wow man thank u what a great source i haven't known that. I'll try to find some sensitive data thanx again
ICS Academy Network Security Certified
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Fri Sep 21, 2012 11:31 am

Re: Why directory browsing is important?

To pile on top of what everyone else said, if you find old app files, like login.php.bak, guess what, you can download that file and get the raw PHP code, which may contain sql connection credentials, code level notes like:

/* if a user puts in special characters, they can access resources they shouldn't. will fix soon */

All sorts of goodies... This could give you all sorts of juicy tidbits of info for further attacks.
Poking at security since 1986.  +++ATH

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software